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respect  to  properties  concerning  the  information  possessed  by  the  agents,  and 
how  this  information  changes  over  time.  The  project  investigated  an  approach 
the  optimization  of  epistemic  model  checking  using  reasoning  about  independen¬ 
cies  detected  by  means  of  a  static  analysis  technique.  A  theoretical  basis  for  the 
optimization  was  developed,  extending  prior  work  on  conditional  independen¬ 
cies  from  the  Bayesian  Net  literature.  The  resulting  algorithm  was  implemented 
in  the  epistemic  model  checker  MCK.  Experiments  on  a  number  of  benchmarks 
for  epistemic  model  checking  confirm  that  the  optimization  results  in  significant 
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Optimizing  Epistemic  Model  Checking  using 
Conditional  Independence* 

Ron  van  der  Meyden 
October  13,  2016 


Abstract 

Conditional  independence  reasoning  has  been  shown  to  be  helpful  in 
the  context  of  Bayesian  nets  to  optimize  probabilistic  inference,  and  re¬ 
lated  techniques  have  been  applied  to  speed  up  a  number  of  logical  reason¬ 
ing  tasks  in  boolean  logic  by  eliminating  irrelevant  parts  of  the  formulas. 
This  paper  shows  that  conditional  independence  reasoning  can  also  be 
applied  to  optimize  epistemic  model  checking,  in  which  one  verifies  that 
a  model  for  a  number  of  agents  operating  with  imperfect  information 
satisfies  a  formula  expressed  in  a  modal  multi-agent  logic  of  knowledge. 
An  optimization  technique  is  developed  that  precedes  the  use  of  a  model 
checking  algorithm  with  an  analysis  that  applies  conditional  independence 
reasoning  to  reduce  the  size  of  the  model.  The  optimization  has  been 
implemented  in  the  epistemic  model  checker  MCK.  The  paper  reports 
experimental  results  demonstrating  that  it  can  yield  multiple  orders  of 
magnitude  performance  improvements. 


1  Introduction 

Epistemic  model  checking  [14]  is  a  technique  for  the  verification  of  information 
theoretic  properties,  stated  in  terms  of  a  modal  logic  of  knowledge,  in  systems  in 
which  multiple  agents  operate  with  imperfect  information  of  their  environment. 
It  has  been  applied  to  settings  that  include  diagnosis  [8] ,  and  reasoning  in  game¬ 
like  settings  [15,  16,  32],  concurrent  hardware  protocols  [3]  and  security  protocols 
[1,  7,  31]. 

In  dealing  with  imperfect  information,  the  models  of  epistemic  model  check¬ 
ing  can  be  viewed  as  a  discrete  relative  of  probabilistic  models.  The  Bayesian 
net  literature  has  developed  some  very  effective  techniques  for  the  optimization 
of  probabilistic  reasoning  based  on  the  elimination  of  variables  and  conditional 
independence  reasoning  [19,  24].  Similar  ideas  have  been  shown  to  be  applicable 
to  reasoning  in  propositional  logic  [11]. 

*Version  of  Oct  12,  2016.  Work  supported  by  US  Air  Force,  Asia  Office  of  Aerospace 
Research  and  Development,  grant  AFOSR  FA2386-15-1-4057.  Thanks  to  Xiaowei  Huang  and 
Kaile  Su  for  some  preliminary  discussions  and  investigations  on  the  topic  of  this  paper. 
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The  contribution  of  the  present  paper  is  to  demonstrate  that  these  condi¬ 
tional  independence  techniques  from  the  Bayesian  Net  literature  can  also  be  ap¬ 
plied  in  the  context  of  epistemic  model  checking.  We  develop  a  generalization  of 
these  techniques  for  a  multi-agent  modal  logic  of  knowledge,  that  enables  model 
checking  computations  for  this  logic  to  be  optimized  by  reducing  the  number  of 
variables  that  need  to  be  included  in  data  structures  used  by  the  computation. 

In  epistemic  model  checking,  one  represents  the  model  as  a  concurrent  pro¬ 
gram,  in  which  each  of  the  agents  executes  a  protocol  in  the  context  of  an 
environment.  We  provide  a  symbolic  execution  method  for  generating  from  this 
concurrent  program  a  directed  acyclic  graph  representing  the  model  using  sym¬ 
bolic  values.  Conditional  independence  reasoning  is  used  to  reduce  this  directed 
graph  to  a  smaller  one  that  removes  variables  that  can  be  determined  to  be 
irrelevant  to  the  formula  to  be  model  checked.  Epistemic  model  checking  can 
then  be  performed  in  this  reduced  representation  of  the  model  using  any  of  a 
number  of  approaches,  including  binary  decision  diagrams  [9]  and  SAT-based 
techniques  (bounded  model  checking  [6]). 

We  have  implemented  the  technique  in  the  epistemic  model  checker  MCK 
[14].  The  technique  developed  can  be  applied  for  other  semantics  and  algo¬ 
rithms,  but  we  focus  here  on  agents  with  synchronous  perfect  recall  and  model 
check  the  reduced  representation  using  binary  decision  diagram  techniques.  The 
synchronous  perfect  recall  semantics  presents  the  most  significant  challenges  to 
the  computational  cost  of  epistemic  model  checking,  since  it  leads  to  a  rapid 
blowup  in  the  number  of  variables  that  need  to  be  handled  by  the  symbolic 
model  checking  algorithms. 

The  paper  presents  experimental  results  that  demonstrate  that  the  condi¬ 
tional  independence  optimization  yields  very  significant  gains  in  the  performance 
of  epistemic  model  checking.  Depending  on  the  example,  the  optimization  yields 
a  speedup  as  large  as  four  orders  of  magnitude.  Indeed,  it  can  yield  linear  growth 
rates  in  computation  time  on  examples  that  otherwise  display  an  exponential 
growth  rate.  It  adds  significantly  to  the  scale  of  the  examples  that  can  be  an¬ 
alyzed  in  reasonable  time,  increasing  both  the  number  of  agents  that  can  be 
handled,  the  length  of  their  protocols,  and  the  size  of  messages  they  communi¬ 
cate. 

The  structure  of  the  paper  is  as  follows.  Section  2  provides  background  on 
the  multi-agent  epistemic  logic  that  we  consider,  and  on  the  epistemic  model 
checking  problem.  An  example  of  an  application  of  epistemic  model  checking, 
Chaum’s  Dining  Cryptographers  protocol  [10]  is  described  in  Section  3.  Sec¬ 
tion  4  recalls  Shenoy  and  Shafer’s  valuation  algebra,  which  provides  a  general 
framework  for  algorithms  from  both  the  database  and  Bayesian  reasoning  liter¬ 
ature  based  on  variable  elimination.  A  particular  instance  of  this  framework  is 
introduced  that  is  relevant  to  the  present  paper.  Section  5  describes  the  notion 
of  conditional  independence  (for  a  discrete  rather  than  probabilistic  setting) 
that  we  use,  and  recalls  ideas  from  the  literature  that  show  how  conditional  in¬ 
dependencies  can  be  deduced  in  models  equipped  with  a  directed  acyclic  graph 
structure.  These  ideas  are  then  applied  to  our  setting  of  epistemic  model  check¬ 
ing.  Section  6  illustrates  the  application  of  these  techniques  on  the  Dining 
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Cryptographers  problem.  We  then  turn  to  describing  our  implementation  of 
the  optimization  in  MCK.  Section  7  describes  the  symbolic  evaluation  method 
that  relates  program-based  model  checking  inputs  to  directed  graphs  and  the 
overall  structure  of  the  implementation.  Section  8  gives  the  results  of  exper¬ 
iments  that  compare  performance  of  the  optimized  implementation  of  model 
checking  with  previous  implementations.  Section  9  concludes  with  a  discussion 
of  related  work  and  future  directions.  Appendix  A  provides  additional  detail  on 
the  experiments. 


2  Background:  Epistemic  Logic 

We  begin  by  recalling  some  basic  definitions  from  epistemic  logic  and  epistemic 
model  checking.  We  first  define  epistemic  Kripke  structures  and  a  particular 
representation  of  them  that  we  use  in  this  paper,  and  then  show  how,  in  the 
context  of  model  checking,  an  epistemic  Kripke  structure  provides  semantics  for 
a  multi-agent  setting  in  which  each  agent’s  behaviour  is  described  by  a  program. 

2.1  Epistemic  Kripke  Structures 

Let  V  be  a  set  of  atomic  propositions,  which  we  also  call  variables.  An  assign¬ 
ment  for  a  set  of  variables  V  is  a  mapping  a  :  V  — >  {0, 1}.  We  write  assgt(V ) 
for  the  set  of  all  assignments  to  variables  V.  We  denote  the  restriction  of  a 
function  /  :  S  — »  T  to  a  subset  R  of  the  domain  S'  by  /  f  R. 

The  syntax  of  epistemic  logic  for  a  set  Agts  of  agents  is  given  by  the  grammar 

(j>  ::=p  |  ->4>  |  (f>  A  4>  |  Ki(j) 

where  p  G  V  and  i  €  Agts.  That  is,  the  language  is  a  modal  propositional  logic 
with  a  set  of  modalities  K, ,  such  that  Kifi  means,  intuitively,  that  the  agent 
i  knows  that  </>.  We  freely  use  common  abbreviations  from  propositional  logic, 
e.g.,  we  write  </> i  V  <j>2  for  — >(— >0 1  A  -<(/) 2)  and  <fi  1  =>  fa  for  -><j)  1  V  <f>2  and  <f>i  (f>2 
for  {cj)i  =>  <)> 2)  A  {<j>2  =>  <t>  1).  We  write  vars((j>)  for  the  set  of  variables  occurring 
in  the  formula  <j>. 

Abstractly,  an  epistemic  Kripke  structure  for  a  set  of  variables  V  is  a  tuple 
M  =  (W,  ~,7r)  where  W  is  a  set,  ~=  {~;}ieA9ts  is  a  collection  of  equivalence 
relations  on  W,  one  for  each  agent  i,  and  tt  :  W  — >  assgt{V)  is  a  function. 
Intuitively,  IT  is  a  set  of  possible  worlds.  The  relation  u  v  holds  for  u,v  €  W 
just  when  agent  i  is  unable  to  distinguish  the  possible  worlds  u  and  v.  i.e. ,  when 
it  is  in  the  world  u,  the  agent  considers  it  to  be  possible  that  it  is  in  world  v, 
and  vice  versa.  For  a  proposition  p,  the  value  tt (u)(p)  =  1  just  when  p  is  true 
at  the  world  u.  We  say  that  M  is  finite  when  it  has  a  finite  set  of  worlds. 

The  semantics  of  epistemic  logic  is  given  by  a  ternary  relation  M.  w  |=  (f>, 
where  M  =  (IT,  ~,  n)  is  a  Kripke  structure,  w  £  W  is  a  world  of  M,  and  <j>  is  a 
formula.  The  definition  is  given  recursively,  by 

1.  M,  w  \=  p  if  7r(w)(p)  =  1,  for  p  £  V, 
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2.  M,  w  |=  ~^<f>  if  not  M,  w  \=  (f, 

3.  M,  w  |=  </>i  A  (f>2  if  M,  w  |=  4> i  and  M ,  w  |=  </>2, 

4.  M,  w  |=  Ki4>  if  M,  u  \=  <f>  for  all  worlds  u  €  IF  with  w  ~j  u. 

Intuitively,  the  clause  for  the  operator  FQ  says  that  Ki<f)  holds  when  <f>  is  true 
at  all  worlds  that  the  agent  considers  to  be  possible.  We  write  M  \=  <p  when 
M,  w  \=  <f>  for  all  worlds  w  £  IF. 

For  two  Kripke  structures  M  =  (IF,  ~,7r)  and  M'  =  7T7) ,  a  bisimu¬ 

lation  with  respect  to  a  set  of  variables  U  C  V  is  a  binary  relation  R  C  IF  x  W' 
such  that: 

1.  (atomic)  If  uRv!  then  ir(u)  \  U  =  7 r(u')  (  U. 

2.  (forth)  If  and  u  u  then  there  exists  v'  €  IF'  such  that  u'  ~j  v' 
and  u'  Rv' . 

3.  (back)  If  uRu'  and  u'  ~j  u'  then  there  exists  v  €  W  such  that  u  v  and 
vRv' . 

If  there  exists  a  bisimulation  whose  projection  on  the  first  component  is  W,  and 
on  the  second  component  is  W' ,  then  we  say  that  the  structures  are  bisimilar 
with  respect  to  U,  and  write  MRjjM'  .  The  following  result  is  well-known  in 
modal  logic  [4], 

Proposition  1.  If  R  is  a  bisimulation  with  respect  to  U  and  w  €  W,w'  €  W' 
are  worlds  with  wRw' ,  then  for  all  formulas  (j>  over  atomic  propositions  U,  we 
have  M,w  \=  (/>  iff  M',w'  \=  (f.  Moreover,  if  MRyM'  then  M  |=  (f)  iff  M'  (=  cj>. 

It  will  be  convenient  to  work  with  a  more  concrete  representation  of  Kripke 
structures  that  treats  worlds  as  assignments  to  variables.  For  simplicity,  we 
assume  that  all  variables  are  boolean. 

Define  an  epistemic  variable  structure  over  a  set  of  variables  V  to  be  a  tuple 
M  =  ( A ,  O,  V)  where  A  C  assgtfV)  and  O  =  {Offi^Agts  is  a  collection  of  sets 
of  variables  O;  C  V,  one  for  each  agent  i.  Intuitively,  such  a  structure  is  an 
alternate  representation  of  a  Kripke  structure,  where  the  indistinguishability 
relation  for  an  agent  is  specified  by  means  of  a  set  of  variables  observable  to  the 
agent. 

Given  an  epistemic  variable  structure  A4  =  {A,  0,V),  we  obtain  a  Kripke 
structure  ks(M)  =  (IF,  ~,7r),  with  IF  =  A.  The  relation  ~j  for  agent  i  is 
defined  by  u  v  when  u  \  Oi  =  v  \  Oi.  The  assignment  7r  is  defined  by 
7 t(w)  =  W. 

Conversely,  any  (finite)  Kripke  structure  AI  =  (IF,  ~,7r)  over  variables  V 
can  be  represented  as  an  epistemic  variable  structure  that  satisfies  the  same  set 
of  formulas  over  F,  but  may  use  a  larger  set  of  variables  to  represent  states. 
The  construction  uses  two  sets  of  additional  variables.1  For  each  equivalence 

1We  give  a  simple  construction  here,  but  note  that  the  result  can  be  proved  using  a  smaller 
set  of  additional  variables,  by  encoding  equivalence  classes  in  binary. 
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class  c  =  [to]*  of  the  equivalence  relation  ~j,  we  define  a  proposition  pc^  whose 
meaning,  intuitively,  is  that  the  current  world  is  in  the  class  c  of  ~j.  Let 

VU  =  {p[w]iti  |  w  G  W,  i  G  Agts}.  For  each  world  w,  we  also  define  a  proposition 

pw  that  means,  intuitively,  that  the  current  world  is  w.  Let  Vw  =  {pw  \  w  £  W}. 
Let  Vm  =  V  U  W,  U  Vw. 

We  extend  the  assignment  n(w),  which  has  domain  V ,  to  an  assignment  nw 
with  domain  Vm,  by  defining 

•  7r w(p)  =  7 t(w)(p),  for  p  G  V ,  and 

•  Kw(p)  =  1  iff  w  G  [u]»,  for  p  =  P[u]ui  G  V~,  and 

•  7T w(p )  =  1  iff  w  =  u,  for  p  =  pu  G  Vw- 

Write  Aw  for  the  set  {irw  \  w  G  W}.  Define  vs(M)  to  be  the  epistemic  variable 
structure  (Aw,  O),  where  Oi  =  {p[w]i}i  \  w  G  W}  for  each  i  G  Agts.  That  is,  the 
assignments  in  this  structure  are  the  extended  assignments  ttw  ,  and  we  take  the 
set  of  observable  variables  to  be  precisely  the  set  of  variables  W  representing 
equivalence  classes. 

Proposition  2.  If  M  is  a  Kripke  structure  over  variables  V ,  then  M  is  bisimilar 
to  ks(vs(M))  with  respect  to  V. 

Proof.  When  M  has  worlds  W,  the  Kripke  structure  ks(vs(M))  has  the  same 
set  of  worlds  as  vs(M),  i.e. ,  Aw-  Consider  the  relation  R  C  W  x  Aw  defined 
by  R  =  {(w,nw)  \  w  G  W}.  We  show  that  this  is  a  bisimulation  between  M 
and  ks(vs(M)). 

Note  first  that  R  sets  up  a  1-1  correspondence  between  W  and  Aw,  since  if 
u,  v  G  W  with  u  v  then  iru(pv)  =  0  and  wv(pv)  =  1,  so  nu  ^  nv.  Thus,  wRttu 
implies  u  =  w,  so  n(w)(p)  =  iru(p)  for  all  p  G  V.  This  gives  condition  (atomic). 

We  show  that  for  u,v  G  W,  and  i  G  Agts,  we  have  u  v  iff  nu  7r„ 
(i.e.,  for  all  p  G  Oi,  we  have  7r u(p)  =  nv(p)).  In  particular,  note  u  ~i  v  implies 
[u]i  =  [u]j,  so  for  all  p  =  P[w]iti  G  Oi,  we  have  iru(p)  =  1  iff  u  G  [ic],;  iff  u  w 
iff  v  G  \w\i  iff  7 Tv(p)  =  1.  Conversely,  if  for  all  p  G  Oi,  we  have  7r„(p)  =  7r v(p), 
then  iru(ptvi.}i)  =  nv(piv-ii}i)  =  1,  since  ®G  [i?]»,  and  it  follows  by  definition  that 
u  G  [v]j,  i.e.,  u  ~j  v. 

The  conditions  (forth)  and  (back)  now  follow  straightforwardly.  For  (forth), 
note  that  if  u  ~  v  and  uRu' ,  then  v!  =  ttu.  Taking  v'  =  nv,  we  have  vRv' ,  and 
u'  =  7r.u  ~  7 tv  =  v'  from  the  above.  The  proof  of  (back)  is  similar.  □ 

Using  Proposition  1,  it  follows  that  for  all  formulas  <j>,  we  have  M  |=  </> 
iff  ks(vs(M))  |=  (j>.  Thus,  for  purposes  of  the  modal  language,  it  suffices  to 
work  with  epistemic  variable  structures  in  place  of  finite  Kripke  structures. 
Henceforth,  for  an  epistemic  variable  structure  A4 ,  and  world  w  of  A4 ,  we  write 
M,w  \=  f  if  ks(M),w  1=  (j>  and  M  (=  f  if  ks(M )  \=  <j). 
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2.2  From  Programs  to  Epistemic  Kripke  Structures 

In  the  context  of  model  checking,  one  is  interested  in  analyzing  a  model  repre¬ 
sented  as  a  program.  We  now  show  how  programs  generate  a  Kripke  structure 
that  serves  as  their  semantics.  We  work  with  a  very  simple  straightline  pro¬ 
gramming  language  in  which  a  multi-agent  scenario  is  represented  by  each  of 
the  agents  running  a  protocol  in  the  context  of  an  environment.  The  syntax 
and  operational  semantics  of  this  language  is  shown  in  Figure  1. 

Intuitively,  all  variables  (represented  by  non-terminal  v)  in  this  fragment 
are  boolean,  and  e  represents  a  boolean  expression.  Code  C  consists  of  a  se¬ 
quence  of  assignments  and  randomization  statement  rand(v ),  which  assigns  a 
random  value  to  v.  Non-terminal  a  represents  an  atomic  action,  either  the  skip 
statement  skip,  or  an  atomic  statement  (C)  consisting  of  code  C  that  executes 
without  interference  from  code  of  other  agents.  An  agent  protocol  P  consists  of 
a  sequence  of  atomic  actions:  protocol  e  represents  termination,  and  is  treated 
as  equivalent  to  skip ;  e  to  capture  that  a  terminated  agent  does  nothing  while 
other  agents  are  still  running.  A  joint  protocol  J ,  is  represented  by  a  statement 
of  the  form  P\  ||  ...  ||  Pn  A  Ce,  and  consists  of  a  number  of  agent  protocols 
Pi, . . . , Pn,  running  in  the  context  of  an  environment  represented  by  code  Ce- 

There  are  two  relations  in  the  operational  semantics.  States  s  are  assign¬ 
ments  of  boolean  variables  to  boolean  values,  and  we  write  e(s)  for  the  value 
of  boolean  expression  expression  e  in  state  s.  The  binary  relation  — on  con¬ 
figurations  of  type  (s,  C)  represents  zero-time  state  transitions,  which  do  not 
change  the  system  clock.  The  binary  relation  — >1  on  configurations  of  type  (s,  J) 
represents  state  transitions  corresponding  to  a  single  clock  tick.  Thus,  C  — e 
represents  that  code  C  runs  to  termination  in  time  0.  In  a  single  tick  transition 
represented  by  — >i,  we  take  the  next  atomic  action  cq  =  (Ci)  from  each  of  the 
agents,  and  compose  the  code  Ci  in  these  actions  with  the  code  from  the  envi¬ 
ronment  Ce  to  form  the  code  C  =  C\ ;  . . .  Cn:  Ce-  The  single  step  transition  is 
obtained  as  the  result  of  running  this  code  C  to  termination  in  zero-time. 

A  system  is  represented  using  this  programming  language  by  means  of  a 
tuple  I  =  ( J,I,0 ),  where  J  is  a  joint  protocol  for  n  agents,  /  is  a  boolean 
formula  expressing  the  initial  condition,  and  Q  is  a  tuple  of  n  sets  of  variables, 
with  Qi  representing  the  variables  observable  to  agent  i. 

Given  a  maximum  running  time  n,  a  system  I  =  ( J,  I,  Q)  is  associated  to  an 
epistemic  variable  structure  A4n(I)  =  (A,  O,  V)  as  follows.  A  run  of  length  n  of 
the  system  is  a  sequence  of  states  r  =  Sq>  s2>  •  •  •  >  sn,  where  So  satisfies  the  initial 
condition  /  and  (so,  J)  — ti  (si,  Ji)  — >i  . . .  — >i  (sn,  Jn)  for  some  J\, . . . ,  Jn.  If 
U  is  the  set  of  variables  appearing  in  J,  we  define  V  to  be  the  set  of  timed 
variables,  i.e.,  the  set  of  variables  vl  where  0  <  t  <  n.  We  take  A  to  be  the  set 
of  assignments  ar  to  variables  V  derived  from  runs  r  by  ar(u*)  =  st(v )  when 
v  £  U  and  0  <  t  <  n.  For  the  perfect  recall  semantics,  which  is  our  focus  in  this 
paper,  we  define  the  observable  variables  O,  for  agent  i  to  be  the  set  of  timed 
variables  vl  where  v  €  Qi  and  0  <  t  <  n. 
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e  i>|-if;|?;Ai'|i>Vi>|  ... 

C  ::=  e  \  v  :=  e;  C  \  rand(y );  C 
a  ( C )  \  skip 

P  ::=  e  |  a;P 
J::=P  ||  ...  ||  P  AC 

(s,  v  :=  e;  C)  -A0  (s[e(s)/u],  C)  (s,  s/rap;  C)  -A0  (s,  C) 

( s,rand(v);C )  — (s[0/v],C)  ( s,rand(v)\C )  — (s[l / f] , <I7) 


ai  =  <<?!>  . . .  an  =  (Cn)  C  =  C1-,...-,Cn]CE  (s,C)^*0(t,e) 

(s,  ai;Pi  ||  ...  ||  an;Pn  A  CE)  (t,  Pi  ||  ...  ||  P„  AC£) 


Figure  1:  Syntax  and  Operational  Semantics  of  Programs 


3  Example:  Dining  Cryptographers 

We  illustrate  epistemic  model  checking  and  the  optimizations  developed  in  this 
paper  using  Chaum’s  Dining  Cryptographers  Protocol  [10],  a  security  protocol 
whose  aim  is  to  achieve  an  anonymous  broadcast.  This  protocol,  both  in  its  basic 
form,  as  well  as  an  extension  that  is  more  generally  applicable,  has  previously 
been  analysed  using  epistemic  model  checking  [31,  2].  Chaum  introduces  the 
protocol  with  the  following  story: 

Three  cryptographers  are  sitting  down  to  dinner  at  their  favourite 
restaurant.  Their  waiter  informs  them  that  arrangements  have  been 
made  with  the  rnaitre  d’hotel  for  the  bill  to  be  paid  anonymously. 

One  of  the  cryptographers  might  be  paying  for  the  dinner,  or  it  might 
have  been  NSA  (U.S.  National  Security  Agency).  The  three  cryptog¬ 
raphers  respect  each  other’s  right  to  make  an  anonymous  payment, 
but  they  wonder  if  NSA  is  paying.  They  resolve  their  uncertainty 
fairly  by  carrying  out  the  following  protocol: 

Each  cryptographer  flips  an  unbiased  coin  behind  his  menu,  between 
him  and  the  cryptographer  on  his  right,  so  that  only  the  two  of  them 
can  see  the  outcome.  Each  cryptographer  then  states  aloud  whether 
the  two  coins  he  can  see-the  one  he  flipped  and  the  one  his  left-hand 
neighbor  Hipped-fell  on  the  same  side  or  on  different  sides.  If  one 
of  the  cryptographers  is  the  payer,  he  states  the  opposite  of  what 
he  sees.  An  odd  number  of  differences  uttered  at  the  table  indicates 
that  a  cryptographer  is  paying;  an  even  number  indicates  that  NSA 
is  paying  (assuming  that  the  dinner  was  paid  for  only  once).  Yet  if 
a  cryptographer  is  paying,  neither  of  the  other  two  learns  anything 
from  the  utterances  about  which  cryptographer  it  is. 
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The  solution  generalizes  to  any  number  n  of  cryptographers  Co, . . . ,  C„_i  at 
the  table.  We  may  represent  the  protocol  by  means  of  the  following  program  for 
cryptographer  i,  who  is  assumed  to  have  a  boolean  variable  paid.t  that  indicates 
whether  (s)he  is  the  payer.  (The  program  starts  running  from  an  initial  state 
in  which  the  constraint  Vo<*<j<n-i  A  paidj)  is  satisfied.)  We  write  ® 

for  the  exclusive-or. 

Cii 

Observed  variables:  paidi ,  coirii,  left say0 , . . . ,  sayn_1 
Protocol: 

coirii  :=  rand  ; 

mod  n  •  COlTli  , 

sayi  :=  paidi  ®  com*  ®  lefti 

All  variables  take  boolean  values.  Here  rand  is  the  generation  of  a  random 
boolean  value:  in  a  probabilistic  interpretation,  the  value  would  be  drawn  from 
a  uniform  distribution,  but  for  our  purposes  in  epistemic  model  checking,  we 
interpret  this  operation  as  nondeterministically  selecting  a  value  of  either  0  or 
1.  Each  cryptographer  is  associated  with  a  set  of  variables,  whose  values  they 
are  able  to  observe  at  each  moment  of  time.  Note  that  a  cryptographer  may 
write  to  a  variable  that  they  are  not  able  to  observe.  In  particular,  Ci  writes  to 
the  variable  lefti+1  mod  n  that  is  observed  only  by  Ci+l  mod  n. 

We  will  work  with  dependency  networks  that  show  how  the  values  of  variables 
change  over  time.  The  DC  protocol  runs  for  4  ticks  of  the  clock,  (time  0  plus  one 
tick  for  each  step  in  the  protocol) ,  so  we  have  instances  v°  . . .  v3  of  each  variable 
v.  Figure  2  shows  the  dependencies  between  these  instances.  The  figure  is  to  be 
understood  as  follows:  a  variable  vl  takes  a  value  that  directly  depends  on  the 
values  of  the  variables  vfff1  . .  .  such  that  there  is  an  edge  from  u*.-1  to  v*. 
Additionally,  there  is  a  dependency  between  the  initial  values  paid °  captured 
using  a  special  variable  Pmit-  (We  give  a  more  formal  presentation  of  such 
dependency  structures  below.)  The  observable  variables  for  agent  Co  have  been 
indicated  by  rectangles:  timed  variables  inside  these  rectangles  are  observable 
to  C0. 


4  Valuation  Algebra 

Shenoy  and  Shafer  [26,  28]  have  developed  a  general  axiomatic  formalism  that 
captures  the  key  properties  that  underpin  the  correctness  of  optimization  meth¬ 
ods  used  for  a  variety  of  uncertainty  formalisms.  In  particular,  it  has  been 
shown  that  this  formalism  allows  for  a  general  explanation  of  variable  elimina¬ 
tion  algorithms  and  the  notion  of  conditional  independence  used  in  the  Bayesian 
Network  literature  [19],  and  applies  also  in  other  contexts  such  as  Spohn’s  the¬ 
ory  of  ordinal  conditional  functions  [30].  There  is  a  close  connection  also  to 
ideas  in  database  query  optimization  [22]  and  operations  research  [5].  We  show 
here  that  Shenoy  and  Shafer’s  general  axiomatic  framework  applies  to  epistemic 
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Figure  2:  Timed- variable  dependency  graph  after  program  unfolding 
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model  checking.  This  will  enable  us  to  apply  the  variable  elimination  algorithm 
to  derive  techniques  for  optimizing  epistemic  model  checking. 


4.1  Axiomatic  Framework 

We  begin  by  presenting  Shenoy  and  Shafer’s  framework,  following  [18].  Let  Vars 
be  a  set  of  variables,  with  each  v  £  Vars  taking  values  in  a  set  For  a  set  X 
of  variables,  the  set  fix  =  Ilxex^i  is  called  the  frame  of  X.  Elements  of  fix 
are  called  configurations  of  X.  In  case  X  =  0,  the  set  fix  is  interpreted  as  {()}, 
i.e. ,  the  set  containing  just  the  empty  tuple.  We  write  D  for  V(Vars). 

A  valuation  algebra  is  a  tuple  ($,  dom,  e,  <S>,  1),  with  components  as  follows. 
A  state  of  information  is  represented  in  valuation  algebra  by  a  primitive  notion 
called  a  valuation.  Component  $  is  a  set,  the  set  of  all  valuations,  and  dom 
is  function  from  to  V(Vars).  Intutitively,  for  each  valuation  s  £  <F,  the 
domain  dom(s)  is  the  set  of  variables  that  the  information  is  about.  For  a 
set  of  variables  X,  we  write  <I>x  for  the  set  of  valuations  s  with  dom(s)  = 
X.  Component  e  gives  an  element  ex  £  for  each  X  £  D.  A  valuation 

algebra  also  has  two  operations  (g>  :  $  x  $  — ►  <I>  (combination)  and  f:  $  x  D  — ► 
$  (marginalization),  with  ®,  intuitively,  representing  the  combination  of  two 
pieces  of  information,  and  4  used  to  restrict  a  piece  of  information  to  a  given 
set  of  variables.  Both  are  written  as  infix  operators.  From  marginalization, 
another  operator  —  :  <£>  x  Vars  — >  <3>  called  variable  elimination  can  be  defined, 
by  s~x  =  s  J,  ( dom(s )  \  {x}). 

These  operations  are  required  to  satisfy  the  following  conditions: 

VA1.  Semigroup.  (8  is  associative  and  commutative.  For  all  X  £  D  and  all 
s  £  we  have  s  ®  ex  =  e-x  8  s  =  s. 

VA2.  Domain  of  combination.  For  all  s,t£<i>,  dom(s  <8>t)  =  dom(s)  U  dom{t). 
VA3.  Marginalization.  For  s  £  $  and  X,Y  £  D,  the  following  hold: 

s  4  X  =  s  4  Xndom(s)  dom(s  4  X)  =  Xndom(s)  s  4  dom(s)  =  s  . 

VA4.  Transitivity  of  marginalization.  For  and  X  C  Y  C  Vars, 

(sfY)lX  =  sfX  . 

VA5.  Distributivity  of  marginalization  over  combination.  For  s,  t  £  <fr,  with 
dom(s)  =  X 

(s  (g)  t)  4  X  =  s  (g)  (t  4  X)  . 

VA6.  Neutrality.  For  X,Y  £  D, 


ex  <8  eY  =  eXuY  ■ 
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A  key  result  that  follows  from  these  axioms,  called  the  Fusion  Algorithm 
[27],  exploits  Distributivity  of  Elimination  over  Combination  to  give  a  way  of 
computing  the  result  of  a  marginalization  operation  applied  to  a  sequence  of 
combinations,  by  pushing  in  variable  eliminations  over  elements  of  the  combi¬ 
nation  that  do  not  contain  the  variable. 

For  a  finite  set  S  =  {si,  s2, . . . ,  Sk}  Q  write  for  si  (g)  S2  <S>  •  •  •  <8>  Sfc-  We 
define  the  fusion  of  S  via  x  €  Vars  to  be  the  set 

Fusx(S)  =  {(®5+)-a:}U5_ 

where  we  have  partitioned  S  as  S+  U  S- ,  such  that  S+  is  the  set  of  s  €  S  with 
x  €  dom(s ),  and  S _  is  the  set  of  s  £  S  with  x  ^  dom(s).  That  is,  in  the  fusion 
of  the  set  S  with  respect  to  x,  we  combine  all  the  valuations  with  x  in  their 
domain,  and  then  eliminate  x,  and  preserve  all  valuations  with  x  not  in  their 
domain. 

Suppose  we  are  interested  in  computing  (®S)  f  X ,  for  S  a  finite  set  of 
valuations,  and  X  C  Vars.  The  Fusion  Algorithm  achieves  this  by  repeatedly 
applying  the  fusion  operation,  using  some  ordering  of  the  variables  in  X.  We 
write  dom(S)  for  dom(®S)  =  (J {dom(s)  \  s  £  S'} 

Theorem  1  ([27]).  Let  S  be  a  finite  set  of  valuations,  and  X  C  Vars.  Suppose 
dom(S)  \  X  =  {x\,x2,  ■  ■  ■  ,xn} .  Then 

(®S)  l  X  =  ®FusXn  (. . .  ( FusXl  ( S )))  . 

Each  ordering  of  the  variables  x\  . . .  xn  gives  a  different  way  to  compute 
(<S>S)  X.  A  well  chosen  order  can  yield  a  significant  optimization  of  the  com¬ 
putation,  by  keeping  the  domains  of  the  intermediate  valuations  in  the  sequence 
of  fusions  small.  Finding  an  optimal  order  may  be  computationally  complex, 
but  there  exist  heuristics  that  produce  good  orders  in  practice  [23,  20]. 

4.2  A  Valuation  Algebra  of  Relational  Structures 

We  now  show  that  the  relational  structures  that  underly  Kripke  structures  are 
associated  with  algebraic  operations  that  satisfy  the  conditions  from  the  previ¬ 
ous  section.  It  will  follow  from  this  that  the  Fusion  algorithm  can  be  applied  to 
these  structures. 

Let  V  be  the  set  of  all  variables.  Values  in  the  algebra  will  be  relational 
structures  of  the  form  s  =  (A,  V ),  where  V  C  V  and  A  C  assgt(V).  The  domain 
of  a  relational  structure  is  defined  to  be  its  set  of  variables,  i.e.  if  s  =  ( A ,  V) 
then  dom(s)  =  V.  We  define  the  identities  ex  and  operations  <S>  of  combination 
and  and  f  of  marginalization  as  follows.  Let  Si  =  (A\,V\)  and  s 2  =  (42,V 2) 
and  ICV.  Then 

•  ex  =  (assgt(X),X), 

•  Si<g)S2  =  (A,  V)  where  V  =  V1UV2,  and  A  C  assgt{V)  is  defined  by  a  €  A 
iff  a  C  Vi  e  A\  and  a  \  V2  G  A2. 
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•  si  4,  X  =  ( A ,  V)  where  V  =  Vi  (lX,  and  A  =  {a  \  X  \  a  £  Ai}. 

To  use  terminology  from  relational  databases,  si  ®  S2  is  the  join  of  relations  and 
s  4.  X  is  the  projection  of  the  relation  s  onto  attributes  X.  The  following  result 
is  straightforward;  these  properties  are  well-known  for  relational  algebra. 

Proposition  3.  The  algebra  of  relational  structures  satisfies  axioms  VA1-VA6. 

We  may  extend  the  operation  of  marginalization  in  this  valuation  algebra 
to  epistemic  variable  structures  as  follows.  If  At  =  (A,  O ,  V)  is  an  epistemic 
variable  structure  and  X  C  V,  we  define  At  j.  X  =  ( A',0',V ')  where  A!  = 
{a  \  X  \  a  £  A}  and  O'  =  Oi  11  X  for  all  i  £  Agts  and  V’  =  V  fl  X.  In 
general,  this  operation  results  in  agents  losing  information,  since  their  knowledge 
is  based  on  the  observation  of  fewer  variables.  Below,  we  identify  conditions 
where  knowledge  is  preserved  by  this  operation. 


5  Conditional  Independence  and  Directed  Graphs 

5.1  Conditional  Independence 

Let  X,Y,  Z  C  V  be  sets  of  variables.  The  notion  of  conditional  independence 
expresses  a  generalized  type  of  independency  relation.  Variables  X  are  said  to  be 
conditionally  independent  of  Y ,  given  Z,  if,  intuitively,  once  the  values  of  Z  are 
known,  the  values  of  Y  are  unrelated  to  the  values  of  X,  so  that  neither  X  not  Y 
gives  any  information  about  the  other.  This  intuition  can  be  formalized  for  both 
both  probabilistic  and  discrete  models.  The  following  definition  gives  a  discrete 
interpretation,  related  to  the  notion  of  embedded  multivalued  dependencies  from 
database  theory  [13]. 

Definition  1.  Let  A  C  assgt(V )  be  a  set  of  assignments  over  variables  V  and 
let  X,Y,Z  C  V.  We  say  that  A  satisfies  the  conditional  independency  X1.Y\Z, 
and  write  A  |=  X±YjZ,  if  for  every  pair  of  worlds  u,v  €  A  with  u  \  Z  =  v  \  Z , 
there  exists  w  £  A  with  w  \XUZ=u\XUZ  and  w  [  7  U  Z  =  t)  \  Y  U  Z. 
For  an  epistemic  variable  structure  Ai  =  (A,  O,  V),  we  write  Ai  |=  X1Y\Z  if 
A\=X±Y\Z. 

Conditional  independencies  can  be  deduced  from  graphical  representations 
of  models.  Such  representations  have  been  used  in  the  literature  on  Bayesian 
Nets  [24,  19],  and  have  also  been  applied  in  propositional  reasoning  [11,  12]. 
The  following  presentation  is  similar  to  [11]  except  that  we  work  with  relations 
over  arbitrary  domains  rather  than  propositional  formulas. 

5.2  Directed  Graphs 

A  directed  graph  is  a  tuple  G  =  ( V. ,  E)  consisting  of  a  set  V  (the  vertices)  and 
a  relation  E  C  V  x  V  (the  edges).  If  (u,v)  £  E  we  say  that  there  is  an  edge 
from  u  to  v ,  and  may  also  denote  this  fact  by  u  — >  v.  We  write  u  —  v  when 
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both  u  — ^  v  and  v  — >  u.  The  set  of  parents  of  a  node  u  is  defined  to  be  the  set 
pa{v)  =  {u  €  V  |  u  — >  v}.  A  path  of  length  n  from  u  to  v  in  G  is  a  sequence 
uq,  Ui,  . . . ,  un  of  vertices,  such  that  Uj  Uj+i  for  all  i  =  0  ...  n  —  1.  The  graph 
is  acyclic  if  there  is  no  nontrivial  path  from  any  vertex  to  itself.  We  also  call 
such  a  graph  a  directed  acyclic  graph,  abbreviated  as  dag.  An  undirected  graph 
is  a  graph  with  a  symmetric  edge  relation  E,  i.e.  if  u  — >  v  then  also  v  — >  u.  We 
may  represent  such  a  pair  of  edges  with  the  notation  u  —  v. 

The  notion  of  d-separation  [24]  provides  a  way  to  derive  a  set  of  independency 
statements  from  a  directed  graph  G.  We  present  here  an  equivalent  formulation 
from  [21],  that  uses  the  notion  of  the  moralized  graph  Gm  of  a  directed  graph 
G.  The  graph  Gm  is  defined  to  be  the  undirected  graph  obtained  from  G  by 
first  adding  an  edge  u  —  v  for  each  pair  u,  v  of  vertices  that  have  a  common 
child  (i.e.  such  that  there  exists  w  with  u  — ►  w  and  v  — >  w),  and  then  replacing 
all  directed  edges  with  undirected  edges.  For  a  set  of  vertices  X  of  the  directed 
graph  G,  we  write  An(X)  for  the  set  of  all  vertices  v  that  are  ancestors  of  some 
vertex  x  in  S  (i.e.,  such  that  there  exists  a  directed  path  from  v  to  x).  For  a 
subset  X  of  the  set  of  vertices  of  graph  G  =  (V.E).  we  defined  the  restriction 
of  G  to  S  to  be  the  graph  Gs  =  {V  n  S,{(u,v)  G  E  \  u,v  G  S}).  For  disjoint 
sets  A,  Y,  S,  we  then  have  that  X  is  d-separated  from  Y  by  S  if  all  paths  from 
X  to  Y  in  (G An(xuYuS))m  include  a  vertex  in  S. 

A  structured  model  for  a  valuation  algebra  ($,  dom,  e,  <S>,  4-),  is  a  tuple  M  = 
(V,E,S)  where  V  is  a  set  of  variables,  D  =  V(V),  component  E  is  a  binary 
relation  on  V  such  that  Gm  =  (V,E)  is  a  dag,  and  S  =  {st,}„eu  is  a  collection 
of  values  in  $  such  that  for  each  variable  v  G  V,  we  have 

•  dom(sv)  =  {v}  U  pa(v),  i.e.  the  domain  of  sv  consists  of  v  and  its  parents 
in  the  dag, 

•  Sv  j.  pa(v)  &pa(y)‘ 

Intuitively,  the  second  constraint  says  that  the  relation  sv  does  not  constrain 
the  parents  of  v:  for  each  assignment  of  values  to  the  parents  of  v,  there  is  at 
least  one  value  of  v  that  is  consistent. 

The  following  is  a  consequence  of  results  in  [24,  21,  33]. 

Proposition  4.  Suppose  that  M  =  (V,  E,  S)  is  a  structured  model  and  X,  Y,  Z 
are  disjoint  subsets  of  the  vertices  V  of  the  directed  graph  G  =  (V,  E).  If  X  is 
d-separated  from  Y  by  Z ,  then  |=  X1Y\Z. 

Proof.  (Sketch)  The  set  /  of  conditional  independency  statements  holding  in 
a  structured  model  is  a  semi-graphoid.  In  particular,  we  will  take  I  to  be  the 
semi-graphoid  of  conditional  independencies  in  ®S. 

A  stratified  protocol  L  of  I  is  an  ordering  v\  . . .  vn  of  V  together  with  a 
function  p  :  V  — >  V(V )  such  that  for  all  i  =  1  ...n,  we  have  that  p{vf)  C 
{i>i, . . . ,  Vi- 1}  and  the  set  /  contains  the  statement 


{id  ■  •  •  Vi-i}  \p(vi)Y{vi}\p(vi)  . 
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Each  stratified  protocol  L  is  associated  with  a  directed  acyclic  graph  dag(L)  = 
(V,  {(w,  v)  |  v  G  V,  u  €  p(i>)}).  It  follows  from  the  fact  that  M  is  a  structured 
relational  model  that  any  topological  sort  of  G,  together  with  the  parent  function 
in  G  as  the  function  p,  is  a  stratified  protocol  L  of  I ,  and  we  have  dag(L)  =  G. 

Verma  and  Pearl  [33]  (Theorem  2)  show  that  if  Z  d-separates  X  from  Y  in 
dcig(L)  and  L  is  a  stratified  protocol  for  a  semi-graphoid  I,  then  X±Y\Z  is  in 
/.  It  follows  that  if  Z  d-separates  X  from  Y  in  G  then  |=  X1Y\Z.  □ 

Structured  models  have  an  additional  property  that  provides  an  optimization 
when  eliminating  variables:  if  a  leaf  node  is  one  of  the  variables  eliminated  from 
the  combination  of  the  nodes  of  the  graph,  then  it  can  be  simply  removed  from 
the  model  without  changing  the  result.  This  is  formally  captured  in  the  following 
result. 


Proposition  5.  Suppose  that  M  =  ( V,E,S )  is  a  structured  model,  let  X  C  V 
and  let  v  £  V  \  X  be  a  leaf  node.  Then  ®<S  f  X  =  <8 >(<S  \  {s4)  f  X. 


Proof.  Let  s  =  ®(<S\  {s„}).  By  the  semigroup  properties,  we  have  ®S  =  s<S>sv. 
We  first  note  that 


=  s  <8  (s„ 

4 

dom(s)) 

by  VA5 

=  s  <8  (s„ 

4 

dom(s)  fl  dom(sv )) 

by  VA3 

=  s  <8  (s„ 

4 

pa(v)) 

since  v  is  a  leaf 

=  s  8  ev 

since  M  is  a  s.r.m. 

=  s 

by  VA1. 

Hence 


(s  (g>  sv)  l  X  =  (s  <8  sv)  l  dom(s)  fl  X 
—  (s  (8  sv)  J,  dom(s)  4-  X 
=  slX 


since  X  C  dom{s) 
by  VA4 
by  the  result  above. 


□ 

To  apply  these  results  for  structured  models  to  model  checking  epistemic 
logic,  we  use  the  following  definition.  We  say  that  a  structured  model  M  = 
( V ,  E,  S)  represents  the  worlds  of  an  epistemic  variable  structure  Xi  =  (A,  O,  U) 
if  V  =  U  and  A  =  <85.  That  is,  the  structured  model  captures  the  set  of 
assignments  making  up  the  epistemic  variable  structure. 

5.3  Eliminating  Observable  Variables 

Consider  the  following  formulation  of  the  model  checking  problem:  for  an  epis¬ 
temic  formula  <f>,  we  wish  to  verify  At  |=  <j>  where  XI  =  ( A ,  O ,  V)  is  an  epistemic 
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variable  structure  with  observable  variables  O ,  with  worlds  represented  by  a 
structured  model  M  =  ( V,E,S ). 

A  first  idea  for  how  to  optimize  this  verification  problem  is  to  reduce  the 
structure  Ai  to  the  set  of  variables  vars((f> )  of  the  formula  (f>,  on  the  intuition  that 
only  these  variables  are  relevant  to  the  satisfaction  of  (j>.  But  this  is  not  quite 
correct:  the  formula  may  contain  the  epistemic  operators  A',;,  the  semantics 
of  which  refers  to  the  observable  variables  O,;,  since  these  are  used  to  define 
the  indistinguishability  relation.  Thus  a  more  accurate  claim  is  that  we  should 
restrict  the  structure  to  vars (<j>),  together  with  the  sets  Oi  for  any  operator  K, 
in  <f>. 

In  fact,  using  the  notion  of  conditional  dependence,  it  is  often  possible  to 
identify  a  smaller  set  of  variables  that  suffices  to  verify  the  formula.  The  intu¬ 
ition  for  this  is  that  some  of  the  observed  variables  in  Oi  may  be  independent 
of  the  variables  in  the  formula,  and  moreover,  information  may  be  redundantly 
encoded  in  the  observable  variables.  For  example,  if  an  observable  variable  that 
does  not  itself  occur  in  the  formula  is  computed  from  other  observable  variables, 
then  it  is  redundant  from  the  point  of  view  of  determining  the  possible  values 
of  variables  in  the  formula.  The  following  definitions  strengthen  the  idea  of 
restricting  to  vars((j))  U  O  by  exploiting  a  sufficient  condition  for  the  removal  of 
observable  variables. 

Say  that  n  is  a  relevance  function  for  a  formula  <f>  with  respect  to  an  epistemic 
variable  structure  Ai  =  (A,  O,  V)  if  it  maps  subformulas  of  0  to  subsets  of  the 
set  of  variables  V,  and  satisfies  the  following  conditions: 

1.  k(p)  =  {p}  for  p  £  V, 

2.  k{4>!  A  <f>2)  =  n((t> i)  U  k(02), 

3.  k(-i(/> i)  =  k(</>i),  and 

4.  K(Ki<j>i)  =  Ui  U  k(</>i),  for  some  Ui  C  Oi  with  n((j) i)  (~l  O,:  C  Ui  and 
M  |=  (k(</>i)  \  Ui)-L(Oi  \  Ui)\Ui. 

In  the  final  condition,  Ui  can  be  any  set.  We  note  that  a  set  Ui  satisfying 
the  condition  can  always  be  found.  For,  if  we  take  Ui  =  Oi ,  then  the  condition 
states  that  k(</>i)  fl  Oi  C  Oi  and  M  \=  (k(0i)  \  O,)T0|Oj.  Both  parts  of  this 
statement  are  trivially  true.  In  practice,  we  will  want  to  choose  Ui  to  be  as 
small  as  possible,  since  this  will  lead  to  stronger  optimizations.2 

Note  that  is  a  subformula  of  itself,  so  in  the  domain  of  k.  The  following 
result  says  that  satisfaction  of  <j>  is  preserved  when  we  marginalize  to  a  superset 
of  k(</))  for  a  relevance  function  k. 

Theorem  2.  Suppose  that  n  is  a  relevance  function  for  4>  with  respect  to  epis¬ 
temic  variable  structure  M.  and  that  X  is  a  set  of  variables  with  k(4>)  C  X  C 
dom( JA).  Then  for  all  worlds  w  of  A4,  we  have  Ai ,  w  \=  4>  iff  A4  f  X,  w  |"  X  |= 


2 We  remark  also  that  since  (A  \  C)-L(B  \  C)\C  is  equivalent  to  A.LB\C,  the  independence 
condition  could  be  more  simply  stated  as  re(</,l)-LOi|Fi-  We  work  with  the  more  complicated 
version  because  the  algorithm  for  d-separation  assumes  disjoint  sets. 
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Proof.  We  prove  the  result,  for  all  epistenric  variable  structures  XI,  by  induction 
on  the  structure  of  0.  Suppose  k((/>)  C  X  C  dom(M). 

For  the  case  0  =  p  G  V,  we  have  k(0)  =  {p},  so  pel.  Hence  M ,  w  |=  0  iff 
w(p)  =  1  iff  (w  \  X)(p)  =  1  iff  M  f  X,  w  \  X  \=  (j>,  as  required. 

In  case  0  =  (f>\  A  02,  we  have  «(0)  =  k(0i)  U  k(02),  so  k(0i)  C  X  and 
k(02)  C  X.  Hence 

XI,  w  |=  0  iff  XI,  w  \=  0 i  and  XI,  w  |=  02 

iff  XI  X,  w;  \  X  |=  and  XI  4-  X,  w  (  X  |=  (by  induction) 
iff  XI  I  X,  w  \  X  |=  0  . 

The  proof  for  the  case  <f>  =  ->0  1  is  similar. 

In  case  0  =  Kifa,  we  show  that  XI,  u>  |=  K^i  implies  XI  4,  X, tu  f  X  |= 
,  and  the  converse.  Note  that  the  equivalence  relation  used  in  the 
semantics  of  the  operator  Ki  in  XI  f  X  is  given  by  v  W  w  if  v  \  Oj  fl  X  =  w  \ 
Oi  n  X. 

For  the  implication  from  XI,  w  |=  Ki<f>  1  to  XI  f  X,  w  \  X  [=  Xj^i,  suppose 
that  M,w  1=  Ki(j)i.  Let  w  f  X  w,  where  v  is  a  world  of  XI  4-  X.  Then 
there  exists  a  world  u  of  XI  such  that  u  f  X  =  t).  We  need  to  show  that 
XI  4-  X,  u  \  X  \=  <j>\.  Since  Ui  C  n(Ki(/>  1)  C  X  and  Ui  C  Oj,  we  have  Ui  C 
X  n  Oj.  Hence,  from  ic  (  X  u  \  X,  we  have  'UJ  |  I/.,  =  u  \  Ui.  Thus,  from 
M  |=  (n((j)i)\Ui)P(Oi\Ui)\Ui,  it  follows  that  there  exists  a  world  w'  of  XI  such 
that  w'  \  (Oi  \  Ui)  U  Ui  =  w  \  (Oi  \  Ui)  U  Ui  and  w'  \  (n(4>i)  \  Ui)  U  Ui  =  u  f 
(k(4>i)  \  Ui)  U  Ui .  Thus,  w'  \  Oi  =  w  \  Oi  and  w'  f  k(4>\)  =  u  \  k(4>\).  Hence 

XI,  u/  \=  <j)  1  iff  XI  4-  k(4> i),w'  \  n((f>  1)  1=  (f>i  (by  induction) 

iff  M  4-  k(</)),u  \  k(4>)  h  <Ai  (by  w'  \  k(0i)  =  u  \  k(0i)) 
iff  M ,  u  1=  0i  (by  induction) 

Since  w'  f  Oi  =  w  \  Oi  and  XI,  w  |=  X*0 1,  we  have  XI ,  w'  \=  0i.  Hence 
XI,  u  |=  0i.  By  induction,  A4  f  X,u  \  X  |=  0i,  as  recpiired. 

Conversely,  suppose  that  XI  4-  X, w  \  X  \=  Kifa.  We  show  that  XI, tu  \= 
KUpi .  For  this,  let  u  be  a  world  of  XI  with  uj  \  O,  =  a  |  O,  .  We  need  to 
show  that  XI,  u  |=  0 1.  For  this,  note  that  it  follows  from  w  \  Oi  =  u  \  Oi 
that  w  f  X  I"  Oi  fl  X  =  u  \  X  \  Oi  n  X,  i.e. ,  w  \  X  u  |  X.  Since 
XI 4-  X,  w  \  X  \=  Ki(j>  1,  we  have  that  XI 4-  X,  u  \  X  \=  0i.  Since  k(0i)  C  X,  we 
have,  by  induction,  that  XI ,  u  \=  0i ,  as  required.  □ 

Computing  k(4>):  The  definition  of  k  provides  a  recursive  definition  by 
which  n((f>)  can  be  calculated,  with  the  exception  that  the  case  n(Ki((f>))  = 
UiOn((f>)  allows  for  a  choice  of  the  set  Ui,  subject  to  the  conditions  k(0)PI Oi  C  Ui 
and  XI  1=  (k(0)  \  f7j)-L(Oj  \  Ui)\Ui.  When  the  worlds  of  XI  are  represented  by 
a  structured  relational  model  M,  we  show  how  to  construct  the  minimal  set 
Ui  satisfying  the  stronger  conditions  that  k(0)  PI  Oi  C  Ui  and  Ui  d-separates 
k(0)  \  Ui  from  Oi  \  Ui  in  the  directed  graph  G  associated  with  M. 

Note  (k(0)  \  Ui)  U  (Oi  \  Ui)  U  Ui  =  n(<j>)  U  Oi  for  any  set  Ui.  Thus,  the  d- 
separation  properties  we  are  interested  in  are  computed  in  the  moralized  graph 
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H  =  (G^„(OiUK(0)))m)  which  is  independent  of  t/j.  Let  U  be  the  set  of  vertices 
v  £  Oi  such  that  there  exists  a  path  in  H  from  a  vertex  u  £  n(4>)  \  Oi  to  v,  with 
v  the  first  vertex  on  that  path  that  is  in  Oi.  The  set  U  can  be  constructed  in 
linear  time  by  a  depth  first  search  from  k{4>)  \  Ot.  Take  W  =  U  U  (ft(0)  fl  Oi). 

Proposition  6.  W  is  the  smallest  set  satisfying  the  strengthened  conditions  for 
Ui. 

Proof.  We  first  show  that  W  satisfies  the  conditions  for  Ui .  Clearly  n{(j>)  fl 
Oi  C  W .  We  show  that  k{4>)  \  W  is  d-separated  from  Oi  \  W  by  W.  Let 
u  =  Uo,Ui, . . .  ,un  =  v  be  a  path  in  H  from  u  £  k{4>)  \  W  to  Oi  \  W.  Since 
k(0)  (~l  Oi  C  W.  we  have  u  £  Oi.  But  then  the  path  must  cross  an  edge  from 
the  exterior  of  Oi  into  Oi,  and  the  endpoint  of  that  edge  is  in  W ,  by  definition. 
This  shows  that  there  is  no  path  from  n(<t>)  \  W  to  Oi  \  W  that  avoids  W.  Thus, 
W  satisfies  the  conditions  for  Ui. 

To  show  that  W  is  the  minimal  such  set,  let  Ui  be  any  set  satisfying  the 
conditions,  and  suppose  that  W  %Ui.  Then  there  is  a  vertex  v  £  W\Ui.  Since 
W  C  Oi,  we  have  v  €  Oi  \  Ui.  We  cannot  have  v  £  n((j))  fl  Oi,  since  then  also 
v  £  Ui-  Thus,  by  definition  of  W,  there  exists  a  path  in  H  from  v  to  some 
node  in  k,{4>)  \  Oi,  with  all  vertices  after  v  not  in  Oi,  hence  also  not  in  Ui  since 
Ui  C  Oi.  Note  k(</>)  \  Oi  =  k{4>)  \  Ui  since  k(c/))  n  Oi  C  Ui.  Thus,  k(c/))  n  Oi  C  Ui 
is  not  d-separated  from  Oi\Ui  by  Ui,  contradicting  the  assumptions  on  Ui.  This 
shows  that  W  CUt.  □ 

5.4  Equalities 

Unfolding  a  program  into  a  structured  model  tends  to  create  a  large  number  of 
timed  variable  instances  whose  associated  value  represents  an  equality  between 
two  variables.  Such  instances  can  be  eliminated  by  a  simple  transformation  of 
the  structured  model. 

For  an  assignment  a  with  domain  V ,  define  a\y/x\  to  be  the  assignment  a' 
with  domain  ( V  \  {a;})  U  {y}  with  a(y)  =  a'(x)  and  a  \  (dom(s)  \  {x})  =  a'  f 
(dom(s)  \  {x}). 

For  a  relational  value  s  and  variables  x,y  with  x  €  dom(s)  and  y  ^  dom(s), 
define  s[y/x\  to  be  the  relational  value  t,  with  dom{t)  =  ( dom{s )  \  {a;})  U  {y}, 
consisting  of  all  assignments  a[y/a;]  for  a  £  s.  Intuitively,  this  is  simply  the 
relation  s  with  variable  x  renamed  to  y. 

We  extend  this  definition  to  structured  relational  models  M  =  ( V,E,S ) 
with  x,y  £  V,  by  defining  M[y/x ]  =  {V' ,E',S')  with  V'  =  V  \  {a;},  and 
E'  =  E  fl  (V'  x  V'),  and  S  =  {s^,  |  v  £  V'},  where  s'v  =  s[y/a;].  In  the 
following  result,  we  write  SXty  for  the  set  of  assignments  a  with  domain  {a;,y} 
and  a(x)  =  a{y). 

Proposition  7.  Suppose  that  M  =  ( V,E,S )  is  a  structured  relational  model 
with  x,y  £  V,  and  f lx  =  fly,  and  pa(y)  =  {x}  and  sy  =  Sx,y.  Let  M[y/x\  = 
(V',E',S').  Then  ®S' =  (®S)  l  V' . 
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The  definition  furthermore  extends  to  epistemic  models  M.  =  (A,  O,  V ) 
with  worlds  represented  by  a  structured  relational  model  M  =  (V,E,S).  Let 
M[y/x]  =  ( V',E',S ').  We  define  M[x/y\  =  (A',  O',  V')  where  O'  =  {0-}i6^9ts 
where  0\  —  U  {y  \  x  G  O,}  for  each  i  G  Agts,  and  A!  =  (g )S' .  Note  that  0[ 
additionally  makes  variable  y  visible  to  agent  i  if  x  was  visible  to  i,  in  case  this 
variable  was  not  originally  visible. 

Proposition  8.  If  Qx  =  Uy,  and  pa{y)  =  {x}  and  sy  =  {(a?  :  a,y  :  a)  \  a  G 
then  M,a\=c/)  iff  M[y/x\,a[y/x\  |=  (f[y/x\. 

5.5  Algorithm 

The  overall  optimized  procedure  for  model  checking  that  we  obtain  from  the 
above  results  uses  the  following  steps: 

1.  We  first  unfold  a  program  representation  of  the  model  into  a  structured 
relational  model  with  symbolically  represented  values  and  transform  the 
query  into  a  form  that  uses  the  timed  instances  variables  in  place  of  the 
original  variables.  This  can  be  done  in  a  way  that  builds  in  the  equality 
optimization  of  Section  5.4.  We  expand  on  this  step  in  Section  7. 

2.  We  compute  n((f>)  using  the  algorithm  in  Section  5.3. 

3.  We  compute  a  symbolic  representation  of  A4  \  k(4>),  using  the  leaf  node 
elimination  optimization. 

4.  We  compute  A4  \  k(4>)  |=  <f>  in  this  representation  using  a  symbolic  model 
checking  algorithm. 

6  Example 

In  the  present  section,  we  illustrate  this  procedure  on  the  Dining  cryptographers 
protocol. 

Figure  5  indicates  the  dependency  graph  that  remains  after  we  have  applied 
the  optimization  procedure  to  the  Dining  cryptographers  problem.  We  consider 
the  formula 

4 >  =  (~^paid0  =>  Ko(-ipaid1A-*paid2)V (Repaid paid1)A^Kopaid1A^Kopaid2) 
evaluated  at  time  3.  Transforming  to  timed  form,  this  is 

4>  i  =  (^paidy  =$■  KQ{-^paid\f\^paid\)\/(KQ(paid\\/paid\)f\-^Kf)paid\f\^KQpaid\) 

The  set  of  observable  variables  Oo  used  for  the  operator  Kq  in  this  formula  is 
the  set  of  all  variables  inside  the  rectangles  in  Figure  2. 

The  result  of  applying  the  equality  optimization  to  the  model  is  depicted  in 
Figure  3.  The  resulting  formula  is 

4> 2  =  (^paid^  =>  Ko{-^paidi/\^paid2)V (Ko(paidiV paid®) A^Kopaidih^Kopaid®) 
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Figure  3:  Depency  graph  after  equality  optimization 


To  construct  the  moralized  graph,  we  add  edges  between  all  vertices  in  the 
sets  {paidf,  coin f ,  left,  }  for  i  =  0,1, 2,  and  replace  all  directed  edges  with  undi¬ 
rected  edges.  The  result  is  depicted  in  Figure  4. 

For  the  computation  of  K<f>,  we  note  that  the  variables  in  the  scope  of  the 
knowledge  operator  are  paid®  and  paid® ■  The  vertices  at  the  outer  bound¬ 
ary  to  the  observable  variables  from  these  vertices  are  pinit,  paid®,  paid®,  coin\. 
The  observable  variables  reachable  in  one  step  from  this  outer  boundary  are 
paid®,  coin J,  coin\,  say\,  say2-  Thus,  we  compute 

k(4> 2)  =  {paid® , paid® ,  paid® coinQ,  coin\,  say  1,  say 2} 

All  other  variables  can  be  eliminated  using  the  variable  elimination  algorithm. 
As  a  first  step  in  this  process,  we  can  delete  leaf  nodes  not  in  K((j> 2)  (and  re¬ 
cursively,  any  fresh  leaf  nodes  not  in  k(4> 2)  resulting  from  such  deletions.)  This 
step  enables  deletion  of  variables  say q  and  coin®,  left®,  say®  for  i  =  0, 1,  2.  The 
graph  resulting  from  these  deletions  in  depicted  in  Figure  5. 

From  the  point  of  model  checking  complexity,  we  expect  that  the  simplifica¬ 
tion  of  the  dependency  graph  will  result  in  significant  improved  performance  of 
the  model  checking  computation.  For  n  cryptographers,  the  initial  dependency 
graph  (Figure  2  for  n  =  3)  has  16?r  variables,  i.e. ,  48  variables  in  case  n  =  3. 
The  algorithm  of  van  der  Meyden  and  Su  [31]  would  construct  a  BDD  with  over 
12  +  4 n  variables  in  general,  and,  as  show  in  Figure  6,  with  24  variables  in  case 
n  =  3.  However,  the  algorithm  uses  an  intermediate  BDD  representation  of 
the  transition  relation  of  the  protocol  that  requires  8 n  variables.  Instead,  the 
optimization  approach  developed  here  computes  a  BDD  over  just  9  variables  in 
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coin,3 
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paid23 

coin23 

left23 

say23 


Figure  6:  Timed- variables  used  in  algorithm  of  van  der  Meyden  and  Su. 

case  n  =  3  and  3 n  variables  in  general.  The  actual  model  checking  computation 
combines  BDD’s  associated  with  each  node  to  construct  a  BDD  over  the  same 
number  of  variables.  Since  in  practice,  BDD  algorithms  work  for  numbers  of 
variables  in  the  order  of  100-200,  these  reductions  of  the  constant  factor  can 
have  a  significant  impact  on  the  scale  of  the  problems  that  can  be  solved. 

7  From  Programs  to  Dags 

We  have  developed  an  implementation  of  the  above  ideas  as  an  extension  of 
the  epistemic  model  checker  MCK  [14].  We  sketch  the  implementation  in  this 
section. 

We  apply  the  conditional  independence  optimization  described  above  on 
a  structured  model  derived  from  the  system,  in  which  values  are  represented 
symbolically  as  formulas.  Given  a  formula  to  be  model  checked,  we  derive  a 
structured  model  over  a  smaller  set  of  vertices  using  the  conditional  indepen¬ 
dence  optimization.  Rather  than  producing  the  timed  variable  dag  as  in  the 
discussion  of  the  Dining  Cryptographers  example  above,  and  then  applying  the 
equational  optimization,  the  initial  structured  model  is  obtained  by  means  of  a 
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symbolic  execution  that  builds  in  the  equational  optimization.  This  symbolic 
execution  proceeds  as  follows. 

For  a  set  of  variables  Vars,  define  an  indexing  of  Vars  to  be  a  mapping 
7  :  Vars  — ►  N.  If  7  is  an  indexing,  and  e  is  an  expression,  we  define  the 
the  expression  e/7,  which  interprets  e  with  respect  to  indexed  instances  of  the 
variables,  by  replacing  each  occurrence  of  a  variable  v  in  e  by  the  indexed 
variable  v _  Intuitively,  vk  represents  the  fc-th  value  taken  on  by  variable 
v  during  the  running  of  the  program.  (Note  that  this  differs  from  the  timed 
variable  Vk,  which  represents  the  value  of  the  variable  at  time  k.) 

Consider  a  system  I  =  (J,  I,  Q)  with  joint  protocol  J  =  Pi  \  \  ...  1 1  Pn  A  CE. 
We  can,  for  each  time  t  up  to  the  maximal  running  time  N  of  J,  obtain  the 
code  at  time  t,  denoted  Ct  =  C\ ; . . .  (7* ;  Ce,  where  the  t-th  atomic  statement 
in  each  Pt  is  (C|).  (At  this  step,  we  use  the  fact  that  the  agent  protocols  are 
straightline.)  We  construct  a  sequence  of  structured  models  Mo, ...  ,Mn,  and 
a  sequence  of  indexings  70,  ■  •  ■  7jv  of  Vars,  as  follows. 

To  represent  the  initialization  condition,  we  use  a  variable  Vinu  with  frame 
f Ivinit  equal  to  the  set  of  assignments  over  vars(I).  (Under  our  simplifying  as¬ 
sumptions,  this  is  a  set  of  assignments  to  boolean  variables;  all  indexed  variables 
other  than  vlnit  are  boolean.) 

The  initial  structured  model  M0  =  (V0,E0,S)  has  V0  =  {c°  |  v  G  Vars}  U 
{Vinit}  and  E0  =  {(viniuv°)  \  v  G  vars(I)}.  Write  su  =  (Au,  Vu)  for  the  values 
S  =  {SujugVb-  The  domains  of  these  values  are  given  by  VVinit  =  {ujmt}  and 
Vvo  =  {u0}  if  v  vars(I)  and  Vvo  =  { Vinit,v otherwise.  The  relations  in  these 
values  are  symbolically  represented  AViriit  =  /,  and  Av 0  =  True  if  v  £  vars(I), 
otherwise  by  v°  =  v.  The  indexing  70  is  the  initial  indexing,  which  has  70 (v)  =  0 
for  all  v  G  Vars. 

Given  model  Mj,  indexing  7 j  and  code  C,;,  we  obtain  the  next  model  and 
indexing  in  the  sequence  as  (M»+i,7j+i)  =  n(Mi,  7,,  C*),  where  the  function  fi 
is  dehned  by 

H(M,  7,e)  =  (M,j) 

and 

»((V,  E,  S),  7,  (6;  O)  =  (( V ',  E',  S'),  7',  C) 
where,  if  b  is  the  assignment  v  :=  e  we  have 


V'  =  VU{vl{v)+1} 

E'  =  E  U{(u7(u),t;7(v)+1)  |  u  G  vars(e)} 

S'  =  S  U  {  .  ,  } 

i  =  7[7(v)  +  !/u] 

with  the  relation  of  s„  (tj)+1  symbolically  represented  by  the  formula  u7(„)+1 
e/7.  That  is,  the  function  /i  processes  an  assignment  statement  v  :=  e  by 
interpreting  e  with  respect  to  7,  creating  a  new  vertex  u7(„)+ 1  with  parents  the 
variables  in  this  interpretation  e/7  and  a  value  that  describes  how  u7(„)+1  is 
calculated  from  its  parents. 
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In  case  b  is  the  randomization  statement  rand(v),  we  take 


V'  =  VU{Vj(v)+1} 

E'  =  E 

S'  =  SU  {svt(„)+1} 

y  =  7b(«)  +  i/y 

with  the  relation  of  s„^(jj)+1  symbolically  represented  by  the  formula  True. 

The  sequence  of  indexings  70  . . .  Vm  relates  timed  variables  to  indexed  vari¬ 
ables,  by  the  mapping  vt  1— >  7 t(v).  Via  this  mapping,  the  structured  model  MN 
represents  the  worlds  of  the  epistemic  variable  structure  M.N(I). 

In  particular,  to  evaluate  an  epistemic  formula  <f>  at  time  N,  we  work  with 
the  model  Mm  and  interpret  each  variable  v  of  (j)  as  the  indexed  variable  7at(u)- 
In  order  to  determine  where  (j)  is  a  formula  to  be  evaluated  at  time  N,  we 
use  the  sets  Oi  =  { v *  |  v  €  Qi ,  0  <  t  <  7jv(^)}  of  images  of  observable  timed 
variables. 

After  constructing  the  structured  model  Mm  and  computing  the  set  of  rel¬ 
evant  variables  k(</>),  we  compute  Mm  \  k(4>)  using  the  leaf  node  optimiza¬ 
tion.  This  is  again  a  structured  model.  Since  the  values  in  Mm  are  formulas, 
Mn  \  k{4>)  is  represented  as  a  formula  of  quantified  boolean  logic.  We  then 
process  this  formula  from  the  leaves  to  the  root  to  obtain  a  binary  decision 
diagram  representing  this  QBF  formula  -  the  variables  in  this  representation 
are  the  variables  in  k(</)).  The  assignments  represented  by  this  binary  decision 
diagram  are  the  worlds  of  a  Kripke  structure. 

The  observable  variables  yield  binary  relations  over  these  worlds,  defined  by 
w  w'  if  for  all  variables  v  €  Oi,  we  have  w(v1N^)  =  These 

relations  correspond  to  an  agent  with  perfect  perfect  recall  observing  variables 
Oi.  The  relations  can  similarly  be  represented  by  binary  decision  diagrams.  This 
yields  a  symbolic  representation  of  the  Kripke  structure  using  binary  decision 
diagrams. 

A  standard  symbolic  evaluation  procedure  for  modal  logic  can  then  be  used 
to  compute  a  BDD  representing  the  set  of  worlds  where  holds.  We  check 
this  for  emptiness  to  decide  M  \=  (j). 

8  Experimental  Results 

In  the  present  section,  we  describe  the  results  of  a  number  of  experiments  de¬ 
signed  to  evaluate  the  performance  of  epistemic  model  checking  using  the  condi¬ 
tional  independence  optimization,  in  comparison  with  the  existing  implementa¬ 
tion  in  MCK.  (Since  MCK  remains  the  only  symbolic  epistemic  model  checker 
that  deals  with  perfect  recall  knowledge,  there  are  no  other  systems  to  compare 
to.)  All  experiments  were  conducted  on  an  Intel  2.8  GHz  Intel  Core  i5  processor 
with  8  GB  1600  MHz  DDR3  memory  running  Mac  OSX  10.10. 

The  experiments  conducted  are  based  on  a  number  of  examples  of  epistemic 
model  checking  applications  that  have  previously  been  considered  in  the  litera¬ 
ture.  Most  concern  security  protocols.  Each  experiment  scales  according  to  a 
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single  numerical  parameter,  and  we  measure  the  running  time  of  model  check¬ 
ing  a  formula  as  a  function  of  this  parameter.  Details  of  the  protocols  and  the 
way  that  they  are  represented  in  the  MCK  scripting  language  when  using  the 
conditional  independence  optimization  are  presented  in  Appendix  A.3 

The  performance  of  the  conditional  independence  optimization  depends  on 
the  extent  to  which  it  is  able  to  reduce  the  number  of  variables  that  need  to 
be  handled  in  the  ultimate  BDD  calculation  that  implements  model  checking. 
Theoretically,  in  the  worst  case,  there  is  no  reduction  in  the  number  of  variables. 
We  have  therefore  deliberately  chosen  some  examples  in  which  the  reduction 
is  realised  in  order  to  demonstrate  its  power  when  it  applies.  However,  the 
examples  are  realistic  in  that  they  derive  from  prior,  independently  motivated 
work. 

Except  where  indicated,  the  unoptimized  model  checking  algorithm  against 
which  we  compare  is  that  invoked  by  the  construct  spec_spr_xn  in  the  MCK 
scripting  language,  which  operates  as  already  described  above.  (We  refer  to  this 
algorithm  as  xn  in  legends,  and  the  algorithm  using  conditional  independence 
optimization  is  referenced  as  ci.)  The  results  demonstrate  both  significant 
speedups  of  as  large  as  four  orders  of  magnitude,  as  well  as  a  significant  increase 
in  the  scale  of  problem  that  can  be  handled  in  a  give  amount  of  time. 

Due  to  nondeterminism  in  the  underlying  CUDD  package  [29]  used  by  MCK 
for  binary  decision  diagram  computations,  the  running  times  can  show  signif¬ 
icant  variance  from  run  to  run,  with  some  runs  taking  very  large  amounts  of 
time.  We  have  dealt  with  this  variance  by  concentrating  on  the  minimal  run¬ 
ning  time  obtained  over  three  runs  of  the  experiments.  This  form  of  aggregation 
can  be  justified  as  equivalent  to  the  running  time  obtained  when  running  three 
copies  of  the  computation  in  parallel  and  taking  the  answer  from  the  first  to 
complete. 

Even  with  this  allowance,  the  plot  of  running  times  as  we  scale  the  experi¬ 
ments  can  be  very  jagged  on  larger  instances.  The  problem  tends  to  affect  the 
unoptimized  running  times  more  than  the  running  times  using  the  conditional 
independence  optimization,  which  generally  give  smooth  curves.  We  believe  this 
is  due  to  memory  placement  effects  on  larger  BDD’s,  and  because  the  BDD’s  for 
the  unoptimized  running  times  reach  the  critical  size  significantly  earlier.  We 
expect  that  a  similar  phenomenon!  will  occur  with  the  optimized  version  once 
this  critical  BDD  size  is  reached. 

'The  scripts  are  presented  using  a  version  of  MCK’s  language  under  development  for  an 
upcoming  release  —  this  is  more  elegant  than  earlier  versions,  and  we  developed  the  imple¬ 
mentation  of  the  optimization  to  work  with  the  new  language.  The  performance  of  model 
checking  is  sensitive  to  the  encoding  of  a  script  to  the  quantified  boolean  formulas  used  by 
the  model  checking  algorithms.  Because  the  unoptimized  model  checker  had  not  yet  been 
fully  adapted  to  the  new  language  at  the  time  we  conducted  this  work,  we  used  alternate  but 
logically  equivalent  scripts  for  the  running  times  of  the  non-optimized  computation.  These 
scripts  were  chosen  so  as  to  minimize  the  running  times  for  the  non-optimized  version,  so  as 
to  best  advantage  the  non-optimized  version  in  the  competition.  (Even  with  this  advantage 
to  the  non-optimized  version,  the  optimization  generally  wins.) 
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n 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

xn 

0.1 

0.16 

0.37 

0.65 

1.34 

2.52 

37.92 

33.5 

846.19 

2775.4 

Table  1:  Dining  Cryptographers  experiments,  unoptimized  running  times  (s) 

8.1  Dining  Cryptographers 

Our  first  example  is  the  Dining  Cryptographers  protocol  [10],  as  discussed  in 
Section  3.  This  scales  by  the  number  n  of  agents;  the  number  of  state  variables 
is  O(n),  and  the  protocol  runs  for  3  steps.  The  initial  condition  needs  to  say 
that  at  most  one  of  the  agents  paid  -  this  is  done  by  means  of  a  formula  of  size 
0(n2).  The  rest  of  the  script  scales  linearly.  The  formula  in  all  instances  states 
that  at  time  3,  agent  CO  either  knows  that  no  agent  pays,  knows  that  CO  is  the 
payer,  or  knows  that  one  of  the  other  cryptographers  is  the  payer,  but  does  not 
know  which.  This  involves  O(n)  atomic  propositions,  and  is  of  linear  size  in  n. 

Performance  results  for  model  checking  the  Dining  Cryptographers  protocol 
running  on  a  ring  with  n  agents  are  shown  in  Table  1.  There  is  a  rapid  blowup 
as  the  number  of  agents  is  increased:  12  agents  already  takes  over  46  minutes 
(2775  seconds). 

By  contrast,  applying  the  conditional  independence  optimization,  model 
checking  is  significantly  more  efficient,  as  shown  by  the  plot  in  Figure  7.  The 
case  of  12  agents  is  handled  in  0.05  seconds,  and  100  agents  are  handled  in  9.69 
seconds. 

8.2  One-time  Pad 

The  next  example  concerns  message  transmission  using  one-time  pad  encryption 
in  the  presence  of  an  eavesdropper.  Each  instance  has  three  agents  (Alice,  who 
sends  an  encrypted  message  to  Bob,  and  Eve,  who  taps  the  wire).  We  scale  the 
example  by  the  length  of  the  message,  which  is  sent  one  bit  at  a  time.  For  a 
message  of  length  n,  states  have  0{n)  variables.  The  protocol  runs  2 n  steps, 
two  for  each  bit.  The  formula  is  evaluated  at  time  2 n,  and  says  that  Eve  does 
not  learn  the  value  of  the  first  bit. 

For  this  example,  we  found  that  the  best  performance  for  the  unoptimized 
version  was  obtained  using  MCK  version  0.5.1,  which  used  a  different  encoding 
from  more  recent  versions.  Performance  of  model  checking  is  shown  in  Table  2. 

The  running  times  for  the  optimized  version  grow  very  slowly  (the  numbers 
show  a  step-like  behaviour  due  to  rounding).  Intuitively,  the  conditional  inde¬ 
pendence  optimization  detects  in  this  example  that  the  first  bit  and  the  others 
are  independent,  and  uses  this  to  optimize  the  model  checking  computation. 
This  means  that  for  all  n,  the  ultimate  BDD  model  checking  computation  is 
performed  on  the  same  model  for  all  n,  and  the  primary  running  time  cost  lies 
in  the  generation  of  the  dependence  graph,  and  its  analysis,  that  precedes  the 
BDD  computation.  On  the  other  hand,  the  unoptimized  (xn)  model  checking 
running  times  show  significant  growth,  with  a  large  spike  towards  the  end,  where 
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Figure  7:  Dining  Cryptographers  experiments,  optimized  running  times  (s) 


26 


DISTRIBUTION  A.  Approved  for  public  release:  distribution  unlimited. 


the  speedup  obtained  from  the  optimization  is  over  10,000  times. 

8.3  Oblivious  Transfer 

The  next  example  concerns  an  oblivious  transfer  protocol  due  to  Rivest  [25], 
which  allows  Bob  to  learn  exactly  one  of  Alice’s  two  messages  mo, mi,  of  his 
choice,  without  Alice  knowing  which  message  was  chosen  by  Bob.  Each  instance 
has  two  agents,  and  we  scale  by  the  length  of  the  message.  For  a  message  of 
length  n,  states  have  0(n)  variables.  We  consider  two  formulas  for  this  protocol. 
Both  are  evaluated  at  time  3  in  all  instances. 

The  first  formula  says  that  if  Bob  chose  to  receive  message  m  i,  then  he 
does  not  learn  the  first  bit  of  mo-  The  running  times  for  model  checking  this 
formula  are  given  in  Table  3.  In  this  example,  the  conditional  independence 
optimization  gives  a  significant  speedup,  in  the  range  of  one  to  two  orders  of 
magnitude  (more  precisely,  12  to  221)  improvement  on  the  inputs  considered, 
and  increasing  as  the  scale  of  the  problem  increases. 

Running  just  the  optimized  version  on  larger  instances,  we  obtain  the  plot 
shown  in  Figure  8.  This  shows  that  the  optimization  allows  us  to  handle  signif¬ 
icantly  larger  instances:  up  to  97  agents  can  be  handled  in  under  200  seconds, 
compared  with  19  agents  in  170  seconds  unoptinrized. 

An  example  in  which  the  optimization  does  not  always  yield  a  performance 
improvement  arises  when  we  change  the  formula  model  checked  in  this  example 
to  one  that  states  that  if  Bob  chose  to  receive  m i,  then  he  does  not  learn  the 
value  of  any  bit  of  itiq .  The  running  times  are  shown  in  Table  4. 

Here,  the  optimization  initially  gives  a  speedup  of  roughly  one  order  of  mag¬ 
nitude,  but  on  the  three  largest  examples,  the  performance  of  the  unoptinrized 
algorithm  is  better  by  a  factor  of  two.  The  lower  size  of  the  initial  speedup, 
compared  to  the  first  formula,  can  be  explained  from  the  fact  that  are  obviously 
fewer  variables  that  are  independent  of  the  second  formula,  since  the  formula 
itself  contains  more  variables.  (The  “all  bits”  formula  contains  0(n)  rather  than 
just  one  variable  explicitly,  but  recall  that  knowledge  operators  implicitly  intro¬ 
duce  more  variables,  so  the  “first  bit”  formula  implicitly  has  0(n)  variables.)  It 
is  not  immediately  clear  exactly  what  accounts  for  the  switchover. 

8.4  Message  Transmission 

The  next  example  concerns  the  transmission  of  a  single  bit  message  across  a 
channel  that  is  guaranteed  to  deliver  it,  but  with  uncertain  delay  This  example 
has  two  agents  Alice  and  Bob  ,  and  runs  for  n+1  steps,  where  n  is  the  maximum 
delay.  States  have  0(n)  variables.  The  formula  considered  states  at  time  n  +  1 
that  Alice  knows  that  Bob  knows  ...  (nested  five  levels)  that  the  message  has 
arrived.  Because  of  the  nesting,  the  algorithm  used  in  the  unoptimized  case  is 
that  invoked  by  the  MCK  construct  spec_spr .nested  -  this  essentially  performs 
BDD-based  model  checking  in  a  structure  in  which  the  worlds  are  runs  of  length 
equal  to  the  maximum  time  relevant  to  the  formula. 
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n 

ci  (s) 

xn  (s) 

xn/ci 

3 

0.01 

0.03 

3 

4 

0.01 

0.08 

8 

5 

0.01 

0.10 

10 

6 

0.01 

0.18 

18 

7 

0.01 

0.27 

27 

8 

0.01 

0.35 

35 

9 

0.01 

0.52 

52 

10 

0.02 

0.52 

26 

11 

0.02 

1.25 

63 

12 

0.02 

1.38 

69 

13 

0.02 

2.04 

102 

14 

0.02 

2.19 

110 

15 

0.02 

3.98 

199 

16 

0.03 

5.50 

183 

17 

0.03 

5.01 

167 

18 

0.03 

5.47 

182 

19 

0.03 

7.24 

241 

20 

0.04 

9.71 

243 

21 

0.04 

8.42 

211 

22 

0.04 

8.82 

221 

23 

0.04 

11.10 

278 

24 

0.04 

17.88 

447 

25 

0.04 

36.68 

917 

26 

0.04 

33.26 

832 

27 

0.05 

23.60 

472 

28 

0.05 

34.88 

698 

29 

0.05 

99.50 

1990 

30 

0.05 

50.10 

1002 

31 

0.05 

75.13 

1503 

32 

0.05 

67.37 

1347 

33 

0.06 

97.23 

1621 

34 

0.06 

184.19 

3070 

35 

0.06 

89.47 

1491 

36 

0.07 

131.74 

1882 

37 

0.07 

164.76 

2354 

38 

0.07 

259.48 

3707 

39 

0.07 

275.87 

3941 

40 

0.07 

749.88 

10713 

Table  2:  One-time  pad  protocol,  optimized  and  unoptimized  running  times,  and 
speedup  ratio,  “single-bit”  formula 
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n 

ci  (s) 

xn  (s) 

xn/ci 

3 

0.02 

0.24 

12 

4 

0.03 

0.52 

17 

5 

0.05 

0.90 

18 

6 

0.07 

1.80 

26 

7 

0.11 

2.24 

20 

8 

0.14 

3.54 

25 

9 

0.15 

4.97 

33 

10 

0.16 

7.20 

45 

11 

0.21 

13.08 

62 

12 

0.26 

16.68 

64 

13 

0.32 

32.72 

102 

14 

0.39 

62.08 

159 

15 

0.43 

50.95 

118 

16 

0.50 

36.73 

73 

17 

0.60 

38.36 

64 

18 

0.71 

69.27 

98 

19 

0.77 

170.16 

221 

20 

1.09 

148.56 

136 

Table  3:  Rivest  Oblivious  Transfer  Protocol,  optimized  and  unoptimized  run¬ 
ning  times,  and  speedup  ratio,  “single-bit”  formula 


n 

ci  (s) 

xn  (s) 

xn/ci 

3 

0.03 

0.25 

8.3 

4 

0.05 

0.51 

10.2 

5 

0.12 

0.86 

7.2 

6 

0.15 

1.58 

10.5 

7 

0.25 

2.84 

11.4 

8 

0.42 

3.52 

8.4 

9 

0.50 

5.11 

10.2 

10 

0.55 

7.79 

14.2 

11 

1.18 

13.07 

11.1 

12 

3.72 

14.63 

3.9 

13 

5.20 

39.74 

7.6 

14 

7.13 

48.64 

6.8 

15 

4.91 

56.62 

11.5 

16 

20.16 

38.09 

1.9 

17 

32.95 

42.40 

1.3 

18 

174.96 

86.81 

0.5 

19 

229.85 

96.86 

0.4 

20 

342.40 

184.08 

0.5 

Table  4:  Rivest  Oblivious  Transfer  Protocol,  optimized  and  unoptimized  run¬ 
ning  times,  and  speedup  ratio,  “all  bits”  formula 
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Figure  8:  Oblivious  transfer  protocol  experiments,  optimized  running  times, 
“single-bit”  formula 
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n 

ci  (s) 

nested(s) 

nested/ci 

3 

0.01 

0.02 

2 

4 

0.01 

0.03 

3 

5 

0.01 

0.04 

4 

6 

0.01 

0.06 

6 

7 

0.01 

0.11 

11 

8 

0.02 

0.20 

10 

9 

0.03 

0.46 

15 

10 

0.03 

1.05 

35 

11 

0.05 

2.44 

49 

12 

0.07 

5.69 

81 

13 

0.09 

14.5 

161 

14 

0.12 

34.77 

290 

15 

0.16 

89.31 

558 

16 

0.20 

360.3 

1802 

17 

0.27 

1597.91 

5918 

Table  5:  Message  Transmission  Protocol,  optimized  and  unoptimized  running 
times,  and  speedup  ratio 


Table  5  compares  the  performance  of  the  conditional  independence  optimiza¬ 
tion  with  this  algorithm.  The  degree  of  optimization  obtained  is  significant, 
increasing  to  over  four  orders  of  magnitude. 

Running  the  optimization  for  larger  instances,  we  obtain  the  plot  of  running 
times  in  Figure  9.  We  again  have  that  the  optimization  enables  significantly 
larger  instances  to  be  handled  in  a  given  amount  of  time:  as  many  as  65  agents 
in  342  seconds,  compared  to  just  16  agents  in  360  seconds  for  the  unoptimized 
version. 

8.5  Chaum’s  two-phase  protocol 

The  final  example  we  consider  is  Chaum’s  two-phase  protocol  [10],  a  protocol  for 
anonymous  broadcast  that  uses  multiple  rounds  of  the  Dining  Cryptographers 
protocol.  Model  checking  of  this  protocol  has  previously  been  addressed  in  [1], 
This  example  scales  by  both  the  number  of  agents  and  the  number  of  steps 
of  the  protocol:  with  n  agents,  the  protocol  runs  for  0(n)  steps,  and  each  state 
is  comprised  of  0{n)  variables.  We  check  a  formula  with  0(n)  variables  that 
says  that  the  first  agent  has  a  bit  rcvdl  set  to  true  at  the  end  of  the  protocol 
iff  it  knows  that  some  other  agent  is  trying  to  send  bit  1. 

The  protocol  is  more  complex  than  the  others  considered  above.  An  ini¬ 
tial  set  of  n  “booking”  rounds  of  the  Dining  Cryptographers  protocol  is  used 
to  anonymously  attempt  to  book  one  of  n  slots,  and  this  is  followed  by  n 
“slot”  rounds  of  the  Dining  Cryptographers  protocol,  in  which  an  agent  who 
has  booked  a  slot  without  detecting  a  collision  with  another  agent’s  booking, 
uses  that  slot  to  attempt  to  broadcast  a  message.  Because  undetected  book- 
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Figure  9:  Message  Transmission  Protocol,  optimized  running  times 


32 


DISTRIBUTION  A.  Approved  for  public  release:  distribution  unlimited. 


n 

ci  (s) 

xn  (s) 

3 

0.04 

0.79 

4 

0.11 

96.47 

5 

0.49 

>  2  hrs 

6 

2.46 

- 

7 

12.93 

- 

8 

155.41 

- 

9 

>  2hrs 

- 

Table  6:  Cliaum’s  two-phase  protocol,  optimized  and  unoptimized  running  times 

ing  collisions  remain  possible,  collisions  might  also  be  detected  in  the  second 
phase.  Because  of  the  complexity  of  the  protocol,  this  example  can  only  be 
model  checked  on  small  instances  in  reasonable  time,  even  with  the  optimiza¬ 
tion.  Table  6  shows  the  running  times  obtained:  for  the  unoptimized  version, 
we  again  used  MCK-0.5.1. 

The  running  time  of  the  unoptimized  computation  explodes  at  n  =  5  as  we 
increase  the  number  of  agents.  The  optimized  computation  is  significantly  less, 
but  also  eventually  explodes,  at  n  =  9.  Thus,  the  optimization  has  doubled  the 
size  of  the  problem  that  can  be  handled  in  reasonable  time. 


9  Related  Work  and  Conclusion 

We  conclude  with  a  discussion  of  some  related  work  and  future  directions. 

Wilson  and  Mengin  [34]  have  previously  related  modal  logic  to  valuation 
algebra,  but  their  definition  requires  that  the  marginalization  of  a  Kripke  struc¬ 
ture  have  exactly  the  same  set  of  worlds  and  equivalence  relation,  and  merely 
restricts  the  assignment  at  each  world,  so  their  approach  does  not  give  the  op¬ 
timization  that  we  have  developed,  and  a  model  checking  approach  based  on  it 
would  be  less  efficient  than  that  developed  in  the  present  paper.  They  do  not 
discuss  conditional  independence,  which  is  a  key  part  of  our  approach. 

Also  related  are  probabilistic  programs,  a  type  of  program  containing  prob¬ 
abilistic  choice  statements,  that  sample  from  a  specified  distribution.  The  se¬ 
mantics  of  such  programs  is  that  they  generate  a  probability  distribution  over 
the  outputs.  These  programs  may  contain  statements  of  the  form  observe{(j>) 
where  </>  is  a  boolean  condition:  these  are  interpreted  as  conditioning  the  dis¬ 
tribution  constructed  to  that  point  on  the  condition  </>.  Hur  et  al.  [17]  develop 
an  approach  to  slicing  probabilistic  programs  based  on  a  static  analysis  that 
incorporates  ideas  from  the  Bayesian  net  literature.  There  are  several  differ¬ 
ences  between  probabilistic  programs  and  our  work  in  this  paper.  One  is  that 
we  deal  with  discrete  knowledge  rather  than  probability  -  in  general,  this  makes 
our  model  checking  problem  more  tractable.  We  also  reason  about  all  possible 
sequences  of  observations,  rather  than  one  particular  sequence  of  observations. 
Additionally,  we  allow  observations  by  multiple  agents  rather  than  just  one. 
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Finally,  via  knowledge  operators,  we  have  a  locus  of  reference  to  observations 
in  our  framework  that  is  located  in  formulas  rather  than  inside  the  program 
-  this  enables  us  to  ask  multiple  questions  about  a  program  without  changing 
the  code,  whereas  in  probabilistic  programs,  one  would  need  to  handle  this  by 
multiple  distinct  modifications  of  the  code. 

The  results  of  the  present  paper  concern  formulas  that  refer  (directly  and 
through  knowledge  operators)  only  to  a  specific  time.  Our  approach,  however, 
can  be  easily  extended  by  means  of  a  straightforward  transformation  to  formulas 
that  talk  about  multiple  time  points,  and  we  intend  to  implement  this  extension 
in  future  work. 

The  technique  we  have  developed  can  also  be  extended  to  deal  with  multi¬ 
agent  models  based  on  programs  taking  probabilistic  transitions,  which  MCK 
already  supports.  Formulas  in  this  extension  would  include  operators  that  talk 
about  an  agent’s  subjective  probability,  given  what  it  has  observed. 

Other  extensions  we  intend  to  implement  are  to  enrich  the  range  of  knowl¬ 
edge  semantics  beyond  the  synchronous  perfect  recall  semantics  treated  in  this 
paper:  essentially  the  same  techniques  will  apply  to  the  clock  semantics  (in 
which  an  agent’s  knowledge  is  based  on  just  its  current  observation  and  the 
current  time).  The  observational  semantics,  in  which  the  agent’s  knowledge  is 
based  just  on  its  current  observation,  will  be  more  challenging,  since  it  is  asyn¬ 
chronous,  and  knowledge  formulas  may  refer  to  times  arbitrarily  far  into  the 
future. 

Finally,  whereas  the  present  paper  concentrated  on  straightline  programs,  we 
intend  to  extend  to  a  richer  protocol  format,  including  conditionals.  In  general, 
this  extension  will  diminish  the  power  of  the  equality  optimization,  and  result  in 
an  increased  set  of  dependencies  in  which  many  variables  become  dependent  on 
a  variable  representing  the  program  counter.  However,  some  extensions  will  be 
more  managable,  e.g.,  one  that  requires  conditionals  and  loops  to  be  balanced 
in  their  timing  (a  restriction  already  used  in  work  on  computer  security  to  avoid 
unwanted  information  leakages). 
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A  Details  of  Experiments 

In  this  appendix  we  provide  further  details  on  the  examples  considered  in  our 
experiments. 

The  MCK  scripts  below  start  with  a  declaration  of  global  variables,  followed 
by  the  “init_cond”  construct  which  gives  a  boolean  formula  describing  the 
initial  states  of  the  model.  This  is  followed  by  the  declaration  of  the  agents 
in  model.  Each  declaration  names  the  agent,  gives  the  name  of  the  protocol  it 
runs  (in  quotes),  followed  by  the  binding  of  the  parameters  of  this  protocol  to 
environment  variables.  The  protocols  are  listed  last  in  the  script.  All  of  the 
agent  protocols  are  straightline.  The  bracket  notation  “<  I  ...  I  >”  delimits 
atomic  actions.  The  contents  of  these  brackets  are  a  sequence  of  assignments 
that  execute  atomically,  without  consuming  time. 

The  intuitive  operational  semantics  of  the  scripts  is  that  at  time  n,  the  agents 
activate  the  next  such  action  in  the  sequence.  These  actions  are  performed 
in  the  order  of  the  agents  listed,  followed  by  the  sequence  of  assignments  in 
the  “transitions”  clause,  which  intuitively,  describes  events  that  happen  in  the 
environment  at  each  step.  The  resulting  state  is  then  taken  to  be  the  state  at 
time  n  +  1. 

Specifications  are  listed  using  the  construct  “spec_spr”.  Here  the  “spr” 
indicates  that  we  are  using  a  synchronous  perfect  recall  semantics  for  knowledge. 

A.l  Dining  Cryptographers 

The  Dining  Cryptographers  protocol  has  already  been  discussed  in  the  body  of 
the  paper,  we  provide  the  code  for  the  3-agent  instance  below.  This  example  is 
generalized  to  larger  instances  by  increasing  the  number  n  of  agents:  each  run¬ 
ning  the  protocol  given.  The  protocol  can  be  run  using  any  connected  network, 
but  we  use  a  ring  network,  with  agent  C,;  sharing  coins  with  agent  Cj_ 1  mod  n 
to  the  left,  and  agent  agent  C,;+i  mod  n  to  the  right.  The  query  is  stated  in 
terms  of  the  knowledge  of  agent  Co,  and  says  that  this  agent  either  knows  that 
nobody  paid,  knows  that  it  paid  itself,  or  knows  that  one  of  the  other  n  —  1 
agents  paid,  but  does  not  know  which. 
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paid  :  Bool  [3] 
chan  :  Bool [3] 
said  :  Bool  [3] 

init_cond  = 

((neg  paid [1] )  /\  (neg  paid [2]))  \/ 
((neg  paid[0] )  /\  (neg  paid  [2]))  \/ 
((neg  paid[0] )  /\  (neg  paid[l])) 


agent 

CO 

"dc_agent_protocol" 

(paid[0]  , 

chan  [0]  , 

chan[l]  , 

said, 

said[0]  ) 

agent 

Cl 

"dc_agent_protocol" 

(paid[l]  , 

chan  [1]  , 

chan  [2]  , 

said, 

said[l]  ) 

agent 

C2 

"dc_agent_protocol" 

(paid  [2]  , 

chan  [2]  , 

chan[0]  , 

said, 

said  [2]  ) 

spec_spr_ci  =  X  3  (Knows  CO  ((neg  paid[0])  /\  (neg  paid[l])  /\  (neg  paid[2])))  \/ 
(Knows  CO  (paid[0]))  \/ 

(Knows  CO  (  False  \/  paid[l]\/  paid  [2])  /\ 

(neg  Knows  CO  (neg  paid[l]))/\  (neg  Knows  CO  (neg  paid[2]))) 


protocol  "dc_agent_protocol" 

( 

paid  :  observable  Bool, 
chan_left  :  Bool, 
chan_right  :  Bool, 

said  :  observable  Bool[],  —  the  broadcast  variables, 
say  :  Bool 

) 

coin_left  :  observable  Bool 
coin_right  :  observable  Bool 

begin 

<1  chan_right  :=  coin_right  |>; 

<1  coin_left  :=  chan_left  |>; 

<1  say  :=  coin_left  xor  coin_right  xor  paid  |>  ; 

skip 
end 


A. 2  One  Time  Pad 

The  one-time  pad  is  a  shared  secret  key  to  be  used  just  once.  It  is  known  to 
give  perfect  encryption  under  this  assumption.  We  model  a  system  in  which 
Alice  has  a  message  (a  boolean  string)  to  transmit  to  Bob.  She  is  assumed  to 
share  a  one-time  pad,  another  boolean  string  of  the  same  length  as  the  message, 
with  Bob.  Alice  encrypts  her  string  by  bitwise  exclusive-or  with  the  one-time 
pad,  and  sends  the  resulting  encrypted  bits  via  a  channel  that  is  observed  by 
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an  eavesdropper  Eve. 

We  parameterize  this  model  by  the  length  n  of  the  strings.  The  case  of 
n  =  3  is  shown  below.  We  consider  a  query  that  states  that  at  the  end  of  the 
transmission,  Eve  does  not  know  the  value  of  the  first  bit  of  Alice’s  message. 

—  The  ’secret’  one-time-pad  shared  between  Alice  and  Bob. 
one_time_pad  :  Bool  [3] 

—  The  communications  channel, 
channel  :  Bool 

agent  Alice  "sender"  (one_time_pad,  channel) 

agent  Bob  "receiver"  (one_time_pad,  channel) 

agent  Eve  "eavesdropper"  (channel) 

spec_spr  = 

X  6  ( (neg  (Knows  Eve  Alice .message [0] ) )  /\  (neg  (Knows  Eve  (neg  Alice .message  [0] ))) ) 

—  Alice’s  protocol. 

protocol  "sender"  (otp  :  Bool [3],  chan  :  Bool) 

message  :  Bool  [3] 
bit  :  Bool 

begin 


<1 

bit 

:=  otp  [0] 

1  >; 

<1 

chan 

:=  message  [0] 

xor 

bit 

l> 

<1 

bit 

:=  otp  [  1] 

1  >; 

<1 

chan 

:  =  message  [1] 

xor 

bit 

l> 

<1 

bit 

:  =  otp  [2] 

1  >; 

<1 

chan 

:=  message  [2] 

xor 

bit 

l> 

end 

—  Bob’s  protocol. 

protocol  "receiver"  (otp  :  observable  Bool  [3],  chan  :  observable  Bool) 
begin 

skip;  skip;  skip; 
skip;  skip;  skip 
end 


—  Eve’s  protocol. 

protocol  "eavesdropper"  (chan  :  observable  Bool) 
begin 

skip;  skip;  skip; 
skip;  skip;  skip 
end 


A. 3  Rivest’s  Oblivious  Transfer  Protocol 

Rivests  Oblivious  Transfer  protocol  [25]  enables  a  receiver  Bob  to  obtain  exactly 
one  of  two  distinct  messages  mo,  mi  possessed  by  a  sender  Alice,  without  Alice 
learning  which  message  Bob  chose  to  receive.  That  is,  Bob  makes  a  choice  c, 
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and,  at  the  end  of  the  protocol,  knows  message  mc,  but  not  the  other  message 
TOc,  without  Alice  learning  the  value  of  c. 

An  MCK  model  of  the  protocol  in  the  case  where  the  length  of  the  message  is 
3  is  given.  The  protocol  requires  that  Alice  and  Bob  start  with  some  correlated 
randomness  which  can  be  provided  by  a  trusted  third  party  who  does  not  need  to 
be  online  during  the  running  of  the  protocol.  This  trusted  third  party  provides 
Alice  with  two  random  strings  ro,  r i,  and  Bob  with  a  random  bit  d  and  the  string 
rd ■  We  do  not  model  this  third  party  explicitly,  but  start  a  the  state  where  Alice 
and  Bob  have  received  this  information.  (As  with  the  Dining  Cryptographers 
protocols  above,  we  model  random  choices  as  nondeterministic  choices.) 

Bob  and  Alice  then  exchange  some  messages  computed  from  the  initial  in¬ 
formation.  Bob  first  sends  a  bit  e,  and  Alice  responds  with  two  strings  /o,/i 
that  encode  mo  and  m\.  Bob  is  then  able  to  compute  his  desired  message  mc 
in  the  third  step  of  the  protocol. 

For  this  protocol,  we  scale  our  experiments  by  the  length  n  of  the  messages 
mo,  mi  (the  protocol  always  runs  in  3  steps,  but  the  last  step  is  a  local  com¬ 
putation  by  Bob,  so  does  not  affect  the  agent’s  knowledge).  We  consider  two 
formulas: 

1.  The  first  “[Single]”  says  that  if  Bob  chose  to  receive  mi,  then  he  does 
not  learn  the  first  bit  of  mo-  Because  the  protocol  effectively  operates 
independently  on  the  bits  of  the  various  messages,  we  expect  that  the 
dependency  analysis  will  detect  this  independence  and  give  a  significant 
speedup  as  the  size  of  the  messages  increase. 

2.  The  first  “[Any]”  says  that  if  Bob  chose  to  receive  mi,  then  he  does  not 
learn  any  bit  of  mo.  This  involves  n  variables,  so  it  is  not  immediately 
clear  whether  we  should  expect  any  optimization. 

—  Alice’s  messages 
mO:  Bool  [3] 

ml:  Bool  [3] 

—  A  variable  used  by  Bob  to  store  the  message  received 
mc :  Bool  [3] 

—  initial  randomness 
rO  :  Bool  [3] 

rl  :  Bool  [3] 
rd  :  Bool  [3] 
d  :  Bool 

fO  :  Bool  [3] 
fl  :  Bool  [3] 
e  :  Bool 
c :  Bool 

init_cond  = 
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—  Message  rd  is  determined  from  rO,rl  and  d. 

(  neg  d  =>  ( (rO  [0]  <=>  rd[0])  /\  (rO[l]  <=>  rd[l])  /\  (rO  [2]  <=>  rd[2])  ))  /\ 

(d  =>  ( (rl  [0]  <=>  rd  [0] )  /\  (rl  [1]  <=>  rd[l])  /\  (rl[2]  <=>  rd[2])  ))  /\ 

—  The  random  strings  are  distinct . 

(  neg  (rO  [0]  <=>  rl  [0] )  \/  neg  (rO[l]  <=>  rl[l])  \/  neg  (r0[2]  <=>  rl  [2] )  )  /\ 

—  The  messages  mO,  ml  are  distinct. 

(  neg  (mO  [0]  <=>  ml  [0]  )  \/  neg  (mO[l]  <=>  ml  [1]  )  \/  neg  (mO  [2]  <=>  ml  [2]  )  ) 

agent  Alice  "alice"  (rO,  rl,  mO,  ml,  fO,  fl,  e) 
agent  Bob  "bob"  (e,  rd,  d,  c,  fO,  fl,  me) 


spec_spr  = 

"[Any] :  after  two  steps,  Bob  does  not  know  the  value  of  any  bit  of  mO" 

X  2  (  c  =>  (neg  (Knows  Bob  mO  [0] )  /\  neg  (Knows  Bob  neg  mO  [0] )  /\ 

neg  (Knows  Bob  m0[l])  /\  neg  (Knows  Bob  neg  m0[l])  /\ 
neg  (Knows  Bob  mO [2] )  /\  neg  (Knows  Bob  neg  m0[2]))) 


spec_spr  = 

"[Single]:  after  two  steps,  Bob  does  not  know  the  value  of  the  first  bit  of  mO" 
X  2  (neg  (Knows  Bob  mO [0] )  /\  neg  (Knows  Bob  neg  mO [0] ) ) 

spec_spr  =  "[Alice]  Alice  does  not  learn  Bob’s  choice:  " 

X  3  (  (neg  Knows  Alice  c)  /\  (neg  Knows  Alice  neg  c  )  ) 


protocol  "alice"  (rO 

:  observable 

Bool  [3]  , 

rl: 

observable 

Bool  [3] 

mO 

:  observable 

Bool  [3]  , 

ml : 

observable 

Bool  [3] 

fO 

:  observable 

Bool  [3]  , 

fl: 

observable 

Bool  [3] 

e : 

observable  Bool) 

begin 

skip; 

<1 


f0[0]  :=  ( 

(neg 

e) 

/\ 

(m0  [0] 

xor 

o 

i — i 

o 

1 _ 1 

' — s 

\/ 

(e 

/\ 

(m0  [0] 

xor 

N 

1 - 1 

o 

1 _ 1 

T — 1 

f 1 [0]  :=  ( 

(neg 

e) 

/\ 

(ml  [0] 

xor 

rl  [0]  )  ) 

\/ 

(e 

/\ 

(ml  [0] 

xor 

rO  [0]  ) ) 

f  0  [1]  :  =  ( 

(neg 

e) 

/\ 

(mO  [1] 

xor 

rO  [1] )  ) 

\/ 

(e 

/\ 

(mO  [1] 

xor 

rl  [1]  )  ) 

f  1  [1]  :  =  ( 

(neg 

e) 

/\ 

(ml  [1] 

xor 

rl  [1]  )  ) 

\/ 

(e 

/\ 

(ml  [1] 

xor 

rO  [1]  ) ) 

f  0  [2]  :  =  ( 

(neg 

e) 

/\ 

(mO  [2] 

xor 

rO [2] )  ) 

\/ 

(e 

/\ 

(mO  [2] 

xor 

rl  [2]  )  ) 

f 1  [2]  :  =  ( 

(neg 

e) 

/\ 

(ml  [2] 

xor 

rl  [2]  )  ) 

\/ 

(e 

/\ 

(ml  [2] 

xor 

rO  [2]  ) ) 

l>; 

skip 

end 

protocol  "bob"  (e:  Bool, 

rd:  observable  Bool [3],  d:  observable  Bool,  c:  observable  Bool, 

fO:  observable  Bool[3],  fl:  observable  Bool[3],  me:  observable  Bool[3]) 
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begin 

<1  e : =  d  xor  c  I > ; 
skip; 

<1 

mc[0]:=  ( (neg  c)  /\  (f0[0]  xor  rd[0]))  \/  (c  /\  Cf  1  CO]  xor  rd[0]))  ; 

mc[l]:=  ((neg  c)  /\  (fO[l]  xor  rd[l]))  \/  (c  /\  (f  1  [1]  xor  rd[l]))  ; 

me  [2]  :  =  ((neg  c)  /\  (f0[2]  xor  rd[2]))  \/  (c  /\  (fl[2]  xor  rd[2])) 

l> 

end 


A. 4  Message  Transmission  with  Uncertain  Delay 

This  example  models  a  scenario  where  an  agent  Alice  sends  a  message  x  to  Bob 
through  a  channel  with  a  bounded  delay.  The  example  is  parameterized  by  the 
maximum  length  n  of  the  delay.  The  instance  with  n  =  3  is  shown. 

Initially,  all  variables  except  Alice’s  local  variable  x  and  the  array  delay  are 
0.  At  time  0,  Alice  writes  the  message  i  to  a  buffer,  and  at  time  1,  Alice  sets 
a  bit  to  True  to  start  the  transmission.  The  message  is  delivered  as  soon  as 
the  value  delay [ 0]  is  True.  Here  delay  is  an  array  of  length  n,  which  initially 
has  a  random  value.  At  each  step,  the  values  in  the  array  shift  to  the  left  by 
one  position,  and  the  final  value  is  set  to  be  False.  Thus,  delay[ 0]  becomes  F 
by  time  n  at  the  latest,  and  the  message  is  guaranteed  to  be  delivered  by  time 
n  +  1. 

In  this  example,  we  consider  a  query  that  involves  nested  knowledge.  It  is 
the  case  that  Alice  considers  it  possible  up  to  time  n+1  that  the  message  has  not 
yet  been  delivered,  but  by  time  n  +  1  Alice  knows  that  the  message  must  have 
been  delivered.  In  fact,  it  is  common  knowledge  at  time  n  +  1  that  the  message 
has  been  delivered.  We  consider  a  query  that  says  that  Alice  Knows  that  Bob 
Knows  that  Alice  Knows  that  Bob  Knows  that  Alice  Knows  the  message  has 
been  received  by  Bob. 

delay  :  Bool  [3] 
outA  :  Bool 
sentA  :  Bool 

inB  :  Bool 
rcdB  :  Bool 

init_cond  =  neg  (sentA  \/  outA  \/  inB  \/  rcdB) 

agent  Alice  "sender"  (outA,  sentA) 
agent  Bob  "receiver"  (inB,  rcdB) 

transitions 

begin 

—  delay  [0]  captures  whether  transmission  is  delayed  in  the  current  step 

—  if  there  is  no  delay  and  Alice  has  sent,  then  Bob  receives 
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rcdB  :=  rcdB  \/  (neg  delay  [0]  /\  sentA  ); 

inB  :=  (neg  delay [0]  /\  sentA  /\  outA)  \/  ( (delay [0]  \/  neg  sentA)  /\  inB) ; 

—  delay  starts  out  random,  and  shifts  from  right  to  left 

delay  [0]  :=  delay  [1]  ; 
delay  [1]  :=  delay  [2]; 
delay  [2]  :=  False 
end 

spec_spr  =  X  4  Knows  Alice  (Knows  Bob  (Knows  Alice  (Knows  Bob  (Knows  Alice  rcdB  )))) 

—  Alice’s  protocol. 

protocol  "sender"  (chan  :  Bool,  sent  :  Bool  ) 

x:  Bool 

begin 

< |  chan  : =  x  I >  ; 

<1  sent  :=  True  |>  ; 
skip;  skip;  skip 
end 


—  Bob’s  protocol. 

protocol  "receiver"  (chanin:  observable  Bool,  red:  observable  Bool) 
begin 

skip;  skip;  skip;  skip 
end 


A. 5  Two-Phase  Protocol 

In  the  Dining  Cryptographers  protocol,  it  is  assumed  that  at  most  one  agent 
wishes  to  communicate  the  message  that  they  paid.  The  two-phase  protocol, 
also  from  [10],  is  an  application  of  the  basic  Dining  Cryptographers  protocol, 
in  which  multiple  rounds  of  the  basic  dining  cryptographers  protocol  are  used 
to  allow  anonymous  broadcast  in  a  setting  where  multiple  agents  may  have  a 
message  to  send. 

We  model  an  abstraction  of  this  protocol,  in  which  the  message  of  each 
agent  consists  of  a  single  bit,  and  each  application  of  Dining  Cryptographers 
scheme  is  represented  by  taking  the  exclusive-or  of  the  bits  contributed  to  the 
round  by  each  of  the  agents.  It  is  shown  in  [1]  that  this  abstraction  is  sound  for 
verification  of  epistemic  properties. 

The  protocol  operates  in  two  phases.  The  second  phase  consists  of  some 
number  m  of  rounds  of  the  basic  Dining  Cryptographers  protocol,  which  some 
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agent  may  use  to  anonymously  broadcast  a  message.  Of  course,  to  remain 
anonymous,  the  slot  in  which  it  chooses  to  broadcast  must  not  be  predictable, 
so  the  agent  must  choose  its  slot  randomly.  This  creates  the  risk  of  collisions,  in 
which  two  agents  broadcast  in  the  same  slot.  This  is  problematic:  the  Dining 
Cryptographers  protocol  assumes  that  at  most  one  agent  is  sending  a  message. 

To  decrease  the  risk  of  a  collision,  in  the  first  phase,  any  agent  with  a  message 
to  broadcast  attempts  to  book  one  of  the  broadcast  slots.  To  maintain  its 
anonymity,  the  booking  of  a  slot  must  also  be  done  anonymously,  and  the  Dining 
Cryptographers  protocol  is  also  used  by  the  agent  to  announce  that  it  wishes  to 
use  its  chosen  slot.  Thus,  the  first  phase  also  consists  of  m  rounds  of  the  Dining 
Cryptographers  protocol. 

Some  collisions  can  be  detected  during  the  first  round  -  in  particular,  if 
an  even  number  of  agents  attempt  to  book  the  same  slot,  they  will  detect  the 
collision  from  the  outcome  of  that  booking  round.  There  remains  the  possibility 
of  undetected  collisions  —  the  idea  of  the  protocol  is  that  these  will  be  detected 
during  the  transmission  round,  and  that  in  this  case,  the  agent  will  make  another 
attempt  to  transmit  in  a  later  run  of  the  protocol. 

This  makes  the  precise  conditions  under  which  it  is  known  that  a  message 
has  been  successfully  transmitted  using  the  two-phase  protocol  quite  subtle. 
For  a  longer  discussion  of  the  subtleties,  see  [1].  We  focus  on  one  of  the  simpler 
queries  from  that  analysis,  concerning  whether  an  agent  knows  that  some  other 
agent  is  transmitting  a  particular  bit. 

In  the  script,  the  boolean  array  slotsCi  is  used  to  represent  which  slot,  if 
any,  agent  C i  has  selected  for  its  transmission;  slotsCi[0]  represents  that  the 
agent  has  nothing  to  transmit.  The  initial  condition  states  that  at  exactly  one 
of  slotsCifj]  holds,  for  j  =  0 . . .  n.  The  variables  rri  are  used  to  capture  the 
results  of  the  reservation  round  i  during  the  first  phase.  These  values  are  then 
used  during  the  corresponding  round  of  the  transmission  phase  to  determine 
whether  a  value  has  been  received  in  that  round.  Variable  rcvdV  for  X  £  {0, 1} 
is  used  to  represent  that  a  bit  X  has  been  received. 

This  example  scales  by  increasing  the  number  of  agents  or  increasing  the 
number  of  available  slots.  We  have  experimented  with  two  versions,  one  where 
the  number  of  slots  is  fixed  at  5,  and  we  vary  the  number  of  agents,  and  another, 
where  we  vary  the  number  of  agents  and  keep  this  equal  to  the  number  of  slots. 

The  query  that  we  consider  states  that  the  variable  rcvdl  corresponds  pre¬ 
cisely  to  the  agent  knowing  that  some  agent  is  transmitting  the  bit  1.  (We  verify 
this  for  agent  CO,  it  holds  for  the  others  by  symmetry.) 

type  Slot  =  {0..3}- 
slotsCO  :  Bool  [Slot] 
slotsCi  :  Bool  [Slot] 
slotsC2  :  Bool  [Slot] 
say  :  Bool  [3] 
round_result  :  Bool 

init_cond  = 

(neg  (slotsC0[0]  /\  slotsC0[l]))  /\  (neg  (slotsC0[0]  /\  slotsC0[2]))  /\ 
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(neg  (slotsC0[0]  /\  slotsC0[3]))  /\  (neg  (slotsCO[l]  /\  slotsC0[2]))  /\ 

(neg  (slotsCO[l]  /\  slotsC0[3]))  /\  (neg  (slotsC0[2]  /\  slotsC0[3]))  /\ 

(neg  (slotsCl[0]  /\  slotsCl[l]))  /\  (neg  (slotsCl[0]  /\  slotsCl[2]))  /\ 

(neg  (slotsCl[0]  /\  slotsCl[3]))  /\  (neg  (slotsCl[l]  /\  slotsCl[2]))  /\ 

(neg  (slotsCl[l]  /\  slotsCl[3]))  /\  (neg  (slotsCl[2]  /\  slotsCl[3]))  /\ 

(neg  (slotsC2[0]  /\  slotsC2[l]))  /\  (neg  (slotsC2[0]  /\  slotsC2[2]))  /\ 

(neg  (slotsC2[0]  /\  slotsC2[3]))  /\  (neg  (slotsC2[l]  /\  slotsC2[2]))  /\ 

(neg  (slotsC2[l]  /\  slotsC2[3]))  /\  (neg  (slotsC2[2]  /\  slotsC2[3]))  /\ 

(slotsC0[0]  \/  slotsCO[l]  \/  slotsC0[2]  \/  slotsC0[3])  /\ 

(slotsCl  [0]  V  slotsCl  [1]  \/  slotsCl  [2]  \/  slotsCl[3])  /\ 

(slotsC2  [0]  V  slotsC2  [1]  \/  slotsC2  [2]  \/  slotsC2[3]) 

agent  CO  "twophase_protocol"  (slotsCO,  say[0],  round_result) 
agent  Cl  "twophase_protocol"  (slotsCl,  say[l],  round_result) 
agent  C2  "twophase_protocol"  (slotsC2,  say[2],  round_result) 

transitions 

begin 

round_result  :=  say[0]  xor  say[l]  xor  say  [2] 
end 

—  rcvdX  =  I  know  someone  else  is  sending  X 
spec_spr  =  X  13  CO.rcvdl  <=> 

Knows  CO  ((neg  slotsCl  [0]  /\  Cl. message)  \/  (neg  slotsC2[0]  /\  C2. message)) 

protocol  "twophase_protocol" 

( 

slot_request :  observable  Bool[], 
say  :  Bool, 

round_result :  observable  Bool 

) 

—  the  following  variables  are  initialised  nondeterministically : 

—  the  message  the  agent  sends ,  if  any 
message  :  observable  Bool 

—  the  result  for  each  DC  round 

—  rri  =  message  received  in  booking  round  i 


rrl 

Bool 

rr2 

Bool 

rr3 

Bool 

rcvdX  =  I  know  a  message  X  has  been  sent  by  someone  else 
rcvdO  :  Bool 
rcvdl  :  Bool 
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begin 

—  reservation  phase 

—  time  0 

<1  say  :=  slot_request [1]  |>; 

rrl  :=  round_result  |>; 

say  :=  slot_request [2]  |>; 

rr2  :=  round_result  |>; 

say  :=  slot_request [3]  |>; 

rr3  :=  round_result  |>; 

initialize  rcvd  vars 
rcvdO:=  False  ;  rcvdl  :=  False  |>; 

-  Sending  phase : 

say  :=  (slot_request [1]  /\  rrl  /\  message  )  |> 


rcvdl  :=  rcvdl  \/  (neg  slot_request [1]  /\  rrl  /\ 
(slot_request [1]  /\  rrl  /\  (message  xor 

rcvdO  :=  rcvdO  \/  (neg  slot_request [1]  /\  rrl  /\ 
(slot_request [1]  /\  rrl  /\  (message  xor 


round_result)  \/ 
round_result) ) ; 

neg  round_result)  \/ 
round_result) ) 


l> 


<1  say  :=  (slot_request [2]  /\  rr2  /\  message  )  |>  ; 

<1 

rcvdl  :=  rcvdl  \/  (neg  slot_request [2]  /\  rr2  /\ 
(slot_request [2]  /\  rr2  /\  (message  xor 

rcvdO  :=  rcvdO  \/  (neg  slot_request [2]  /\  rr2  /\ 
(slot_request [2]  /\  rr2  /\  (message  xor 

l>  ; 

<1  say  :=  (slot_request [3]  /\  rr3  /\  message  )  |>  ; 

<1 

rcvdl  :=  rcvdl  \/  (neg  slot_request [3]  /\  rr3  /\ 
(slot_request [3]  /\  rr3  /\  (message  xor 

rcvdO  :=  rcvdO  \/  (neg  slot_request [3]  /\  rr3  /\ 
(slot_request [3]  /\  rr3  /\  (message  xor 

l> 

end 


round_result)  \/ 
round_result) ) ; 

neg  round_result)  \/ 
round_result) ) 


round_result)  \/ 
round_result) ) ; 

neg  round_result)  \/ 
round_result) ) 
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